ADCS Certificate Request – How to Stop Repeated Request for Same Certificate

active-directoryactive-directory-adcscertificatecertificate-authorityssl-certificate

If I submit the same CSR file twice to my Active Directory Certificate Services (online via the certsrv web interface), I am issued two different certificates (judging by the serial numbers).

Is there a way to configure ADCS to only allow a single certificate for a particular subject at a time? In other words, if AD already has a certificate for foo.example.com that hasn't been expired or revoked, and someone submits another CSR for foo.example.com, I want ADCS to either return the existing certificate or refuse to generate a new one.

There's an option on the certificate template called [] Do not automatically reenroll if a duplicate certificate exists in Active Directory that I thought would do this, but apparently not.

Best Answer

Is there a way to configure ADCS to only allow a single certificate for a particular subject at a time?

no, there is no way to do this on CA side, it is not CA responsibility. If request passes all validation checks, it results in issued certificate.

Do not automatically reenroll if a duplicate certificate exists in Active Directory

this setting is used exclusively by certificate autoenrollment component and used only for user encryption certificates that are published in AD.

Related Solutions

SSL Certificate – How to Download SSL Certificate from a Website

In order to download the certificate, you need to use the client built into openssl like so:

echo -n | openssl s_client -connect $HOST:$PORTNUMBER -servername $SERVERNAME \
    | openssl x509 > /tmp/$SERVERNAME.cert

That will save the certificate to /tmp/$SERVERNAME.cert.

The -servername is used to select the correct certificate when multiple are presented, in the case of SNI.

You can use -showcerts if you want to download all the certificates in the chain. But if you just want to download the server certificate, there is no need to specify -showcerts. The x509 at the end will strip out the intermediate certs, you will need to use sed -n '/-----BEGIN/,/-----END/p' instead of the x509 at the end.

echo -n gives a response to the server, so that the connection is released

openssl x509 removes information about the certificate chain and connection details. This is the preferred format to import the certificate into other keystores.

SSL Certificate – How to View Details of a .cer File

OpenSSL will allow you to look at it if it is installed on your system, using the OpenSSL x509 tool.

openssl x509 -in cerfile.cer -noout -text

The format of the .CER file might require that you specify a different encoding format to be explicitly called out.

openssl x509 -inform pem -in cerfile.cer -noout -text

openssl x509 -inform der -in cerfile.cer -noout -text

On Windows systems you can right click the .cer file and select Open. That will then let you view most of the meta data.

On Windows you run Windows certificate manager program using certmgr.msc command in the run window. Then you can import your certificates and view details.

Best Answer

Related Solutions

SSL Certificate – How to Download SSL Certificate from a Website

SSL Certificate – How to View Details of a .cer File

Related Topic