I have a certificate template (auto-enrolled) that must require manager approval.
To achieve this, I checked the CA certificate manager approval checkbox in the Issuance Requirements tab.
The computer does auto-enroll and the certificate is placed on the Pending queue on the CA.
My wish is that once the pending certificate was manually approved, certificates should be renewed, or updated if the template major version increments, without manager approval. But I can't get this to work.
When I increment the major version of the certificate, the request is never automatically issued, but again put into the Pending queue for manual issuance.
I tried changing the Same criteria as for enrollment to Valid existing certificate but this didn't change anything.
To speed up my troubleshooting, I used certutil -pulse
to start the auto-enrollment process on the requesting computer.
Edit:
The auto-enrollment policy on the affected server:
Best Answer
I've opened a support case with Microsoft on behalf of OP (TrackingID#2201120040008993) about the issue. As I pointed in comments, the OP's setup is correct and I was able to repro in my environment. The support ticket is opened against [MS-WCCE] protocol, §3.2.1.4.2.1.4.2.2 specification.
Microsoft Support was able to confirm the issue. Further investigation discovered that Microsoft CA implements [MS-WCCE] §3.2.2.6.2.1.4.5.7 requirement to ignore
CT_FLAG_PEND_ALL_REQUESTS
flag whenCT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT
properly. However, further investigation found that Microsoft CA in one of internal request processing routines fails withBad Renewal Name
which attempts to bind requester UPN name to the one stored in Active Directory. However since it is computer template, the UPN is not available (hence the error) and renewal procedures are aborted and initial request procedures executed: request placed in pending requests. And this UPN binding condition is not documented anywhere.I've set up same scenario for user template (which writes down the UPN in certificate) and it worked well: initial request was placed in pending requests, renewal automatically renewed and issued the certificate.
In current state, "valid existing certificate" option works for user templates only and doesn't work for computer templates. There is no available workaround.
I'm continuing conversations with Microsoft Support and will update this response when new information is available.
HTH
Update 19.10.2022
Microsoft published updated documentation which includes conditions the request must meet in order to enable "Valid existing certificate" enforcement: [MS-WCCE] §3.2.2.6.2.1.4.8 CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT Enforcement Conditions