Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Populate Subject Name for Offline Templates on Renew
Published Jan 24 2020 01:47 PM 1,581 Views
Microsoft

First published on TECHNET on Aug 21, 2009

Offline templates are certificate templates that require the subject name to be part of the certificate request. The certificate authority will use the subject name supplied in the request as the subject name of the certificate to issue. This is different from online templates where the Microsoft Certificate Authority (CA) looks in Active Directory (AD) to determine the subject name for the certificate to issue.

You can configure this on the certificate template snap-in. See screen shot below [Figure 1]. The checkbox that says: “Use subject information from existing certificates for autoenrollment renewal requests” is available only in Windows Server 2008 R2.

Figure 1: Subject Name tab of certificate template snap-in. “Supply in the request” means it is an offline template.

Pre-Windows 7, the auto-enrollment client would not auto-renew machine certificates whose certificate template was an offline template [Table 1: row 1, column 4]. Also, Pre-Windows 7, user certificates whose certificate template was an offline template would require user interaction during renew so that the user could type in the subject name to be included as part of the certificate request [Table 1: see row 3, column 4].

On Windows 7, the auto-enrollment client will auto-renew machine certificates whose certificate template is an offline template only if the “Use subject information from existing certificates for autoenrollment renewal requests” checkbox is turned on [Table 1: row 2, column 4]. This option is only available in Windows Server 2008 R2 for version 2 or version 3 machine templates. The behavior for user certificates in Windows 7 is unchanged.

Table 1
Client Operating System Machine Or User Auto-Enroll Auto-Renew
Pre-Windows 7 Machine No No
Windows 7 Machine No Yes – With “Use subject from existing certificates” option from server
Pre-Windows 7 User Yes – With UI Pop-up Yes – With UI Pop-up
Windows 7 User Yes – With UI Pop-up Yes – With UI Pop-up
Version history
Last update:
‎Feb 21 2020 06:30 AM
Updated by: