Subordinate CA issuing Multiple certificates RRS feed

  • Question

  • I have configured automatic machine certificate deployment to Win7 clients through group policy. And clients are getting certificates as well. When I revoke a computer certificate from CA console, next day I can see one new certificate issued to same computer from CA. I want to stop this behavior, after I revoke certificate CA shouldn't issue a new certificate..Any help on this?
    Friday, May 6, 2016 8:02 AM


  • Hi,

    You may try to configure the "Valid existing certificate" as requirement of reenrollment.

    Here is the screenshot of my lab:

    As a workaround, I would suggest you to create a group and configure deny of auto enrollment permission for this group.

    When you revoke a certificate for a specific computer, just add this computer into this group.

    Best Regards,

    Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact

    Monday, May 9, 2016 9:09 AM