Re: How to renew a certificate programmicaly

• Previous message: Gil: "smart card logon fails with status 0xC00000BB"
• Next in thread: Alon Bar-Lev: "Re: How to renew a certificate programmicaly"
• Reply: Alon Bar-Lev: "Re: How to renew a certificate programmicaly"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 1 Jun 2004 10:23:14 -0700

To renew a certificate via an Enterprise CA, and to use the template feature
that specifically allows the same user to renew a certificate if and only if
that user holds an existing valid certificate for the same template requires
identity enforcement. This is done by making sure the templates in the old
certificate and new request are the same, and by enforcing that the subject
UPN matches the old certificate UPN.

If you don't want to enforce the identity match for renewal requests, then
you are free to configure the template to eliminate the RA signature
requirement for initial enrollment.

Thanks,
Vishal Agarwal [MSFT]

-- 
This posting is provided "AS IS" with no warranties, and confers no rights
"Alon Bar-Lev" <alon@xor-t.com> wrote in message
news:uebxTa9QEHA.568@TK2MSFTNGP12.phx.gbl...
> Thank you Vishel,
>
> But I don't understand what the UPN has with the renewal process.
> PKI processes should be a seperated from the Active Directory stuff.
>
> Should I understand is that Microsoft Enterprise CA does not support
> renewing certificates that do not have UPN extension? I find it hard to
> beleive.
>
> Can you please refer me to a document that specify the renew process?
>
> Best Regards,
> Alon Bar-Lev.
>
>
>
> "Vishal Agarwal[MSFT]" <vishala@online.microsoft.com> wrote in message
> news:OEbP0P7QEHA.3612@TK2MSFTNGP10.phx.gbl...
> > The likely reason is that the signing cert's (the old cert's) Subject
Alt
> > Name 2 extension must contain a UPN entry, the impersonated caller
context
> > must map to a valid user object in the DS that also contains a UPN, and
> the
> > two UPNs must match.
> >
> > Since this is referencing an offline template, the DS is not even
queried
> > for the caller's UPN, so the renewal UPN matching requirements cannot be
> > met.
> >
> >
> >
> > Thanks,
> > Vishal Agarwal [MSFT]
> >
> >
> > -- 
> > This posting is provided "AS IS" with no warranties, and confers no
rights
> > "Alon Bar-Lev" <alon@xor-t.com> wrote in message
> > news:enBjov1QEHA.396@TK2MSFTNGP12.phx.gbl...
> > >
> > > Thank you Vishal,
> > >
> > > Yes I think the request is correctly signed, since it is working if I
> > remove
> > > the application policy restriction. Please notice that the application
> > > policy restriction is "Enrollment Agent" and that the "old
certificate"
> > does
> > > not have this application policy.
> > >
> > > I cannot see this template in the MMC snapin, I guess it is because it
> has
> > > "X number of authotized signatures" and "Subject details supply in
> > request".
> > >
> > > Attached is a sample of pkcs#7 that I am generating...
> > > (I am selecting the template name at enrollment form, I also put it in
> the
> > > request, but it seems to have no effect).
> > >
> > > I will be glad to know what I am doing wrong!
> > >
> > > Best Regards,
> > > Alon Bar-Lev
> > >
> > >
> > >
> > > "Vishal Agarwal[MSFT]" <vishala@online.microsoft.com> wrote in message
> > > news:e7rFNV0QEHA.1392@TK2MSFTNGP09.phx.gbl...
> > > > This should have worked unless wrong certificate was used in the
> > > > renewalCertificate. Are you sure that the request is created
> correctly?
> > > >
> > > > If you have the certificate installed in the user store, you can
open
> > > > certificate snapin and then right click on the certificate and
choose
> > > "renew
> > > > with same key", if that succeeds then likely the request you are
> > creating
> > > is
> > > > wrong.
> > > >
> > > > Thanks,
> > > > Vishal Agarwal [MSFT]
> > > >
> > > > -- 
> > > > This posting is provided "AS IS" with no warranties, and confers no
> > rights
> > > > "Alon Bar-Lev" <alon@xor-t.com> wrote in message
> > > > news:upoj5R0PEHA.556@TK2MSFTNGP10.phx.gbl...
> > > > > Thank you Vishal,
> > > > >
> > > > > The problem was that the certificate context of the
> RenewalCertificate
> > > > > property should have a private key, and that the format of the
> > > > createReuqest
> > > > > should be PKCS#7. (My mistake was that I thought the interface is
> able
> > > to
> > > > > generate the PKCS#10 request with the proper attributes...)
> > > > >
> > > > > Now, After I succeed in creating a renew request, I have a new
> problem
> > > > with
> > > > > the templates...
> > > > > I want to define a template when the first certificate is issued
by
> an
> > > RAO
> > > > > and the renewal is based on the user certificate.
> > > > > I defined a template with this Issuance Requirements:
> > > > > - This number of authorized signatures: 1
> > > > > - Policy type: Application Policy
> > > > > - Application Policy: Certificate Request Agent
> > > > > - Require the following for reenrollment: Valid Existing
> Certificate.
> > > > > My template also has Subject Name: Supply in the request.
> > > > >
> > > > > As I understand this template requires a "Certificate Request
Agent"
> > > > > signature for the first issuance, but the user can renew his
> > certificate
> > > > > anytime with the signature of his current certificate.
> > > > >
> > > > > The error message I get:
> > > > > Your Request Id is 74. The disposition message is "Denied by
Policy
> > > Module
> > > > > 0x8009480b, The Test-Authentication-Renew-Exportable Certificate
> > > Template
> > > > > requires 1 signatures, but only 0 were accepted.
> > > > >
> > > > > I've also tried to set my CA system time to a date that is within
> the
> > > > > renewal period... but it still does not work.
> > > > >
> > > > > If I remove the the "This number of authorized signatures: 1" from
> the
> > > > > template, the renew works correctly!
> > > > >
> > > > > Any Idea?
> > > > > Best Regards,
> > > > > Alon Bar-Lev
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> > >
> >
> >
>
>

• Previous message: Gil: "smart card logon fails with status 0xC00000BB"
• Next in thread: Alon Bar-Lev: "Re: How to renew a certificate programmicaly"
• Reply: Alon Bar-Lev: "Re: How to renew a certificate programmicaly"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]