Populate Subject Name for Offline Templates on Renew

This post has been republished via RSS; it originally appeared at: Core Infrastructure and Security Blog articles.

Offline templates are certificate templates that require the subject name to be part of the certificate request. The certificate authority will use the subject name supplied in the request as the subject name of the certificate to issue. This is different from online templates where the Microsoft Certificate Authority (CA) looks in Active Directory (AD) to determine the subject name for the certificate to issue.

You can configure this on the certificate template snap-in. See screen shot below [Figure 1]. The checkbox that says: “Use subject information from existing certificates for autoenrollment renewal requests” is available only in Windows Server 2008 R2.

Figure 1: Subject Name tab of certificate template snap-in. “Supply in the request” means it is an offline template.

Pre-Windows 7, the auto-enrollment client would not auto-renew machine certificates whose certificate template was an offline template [Table 1: row 1, column 4]. Also, Pre-Windows 7, user certificates whose certificate template was an offline template would require user interaction during renew so that the user could type in the subject name to be included as part of the certificate request [Table 1: see row 3, column 4].

On Windows 7, the auto-enrollment client will auto-renew machine certificates whose certificate template is an offline template only if the “Use subject information from existing certificates for autoenrollment renewal requests” checkbox is turned on [Table 1: row 2, column 4]. This option is only available in Windows Server 2008 R2 for version 2 or version 3 machine templates. The behavior for user certificates in Windows 7 is unchanged.