none
AD CS published certificates to wrong AD object

    Question

  • In a Windows Server 2012 R2 environment, after a user's certificate is issued it is published to the Requester's AD object instead of the Subject's object named in the certificate.

    Scenario:

    User A is specified in the CSR's subject
    User B takes the CSR and issues the certificate for User A
    After:

    No certificate exists in User A's object
    User A's certificate exists in User B's object

    Any help would be greatly appreciated?  I am expecting that the certificate would be published to the object specified in the subject of the request.

    Chuck


    Chuck


    Friday, December 30, 2016 7:26 PM

All replies

  • Hi,

    >>Any help would be greatly appreciated?  I am expecting that the certificate would be published to the object specified in the subject of the request.

    If the certificate template is published in AD DS, you can prevent re-enrollment if a valid certificate of the same certificate template exists for the security principal indicated in the subject by re-enrollment option.

    Please check this link for more information:

    CA manager approval required for certificate re-enrollment

    https://blogs.technet.microsoft.com/pki/2011/03/08/ca-manager-approval-required-for-certificate-re-enrollment/


    Best Regards
    Cartman
    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, January 3, 2017 2:39 AM
    Moderator
  • Usually a user should be requesting a certificate for itself. If another user is requesting certificates on behalf of a User then you need an Enrollment Agent. Steps go like this:

    To enroll for a certificate on behalf of other users
    1. Open the Certificates snap-in for a user.

    2. In the console tree, expand the Personal store, and then click Certificates.

    3. On the Action menu, point to All Tasks, point to Advanced Operations, and then click Enroll on behalf of to open the Certificate Enrollment wizard. Click Next.

    4. Browse to the Enrollment Agent certificate that you will use to sign the certificate request that you are processing. Click Next.

    5. Select the type of certificate that you want to enroll for. When you are ready to request a certificate, click Enroll.

    6. After the Certificate Renewal Wizard has successfully finished, click Close.

    Ref: https://technet.microsoft.com/en-us/library/cc770802(v=ws.11).aspx 

    Tuesday, January 3, 2017 4:14 AM