Hi there,
we are currently testing the following scenario (which we already had working) - the goal is an automated renewal of existing certificates by Cisco iOS-Devices.
The renewal is working, but needs a manual issuing of the certificate on the CA (pending approval).
As stated by the NDES whitepaper, an automatic renewal signed with the existing certificate should be supported:
The NDES supports certificate renewal where a device uses a previously issued certificate to validate new certificate request. This feature is supported onWindows Server 2008 R2, Windows Server 2008 Service Pack 2, or on Windows Server 2008 with the KB959193 hotfix installed (http://support.microsoft.com/kb/959193).
By default, when you request a certificate renewal by using this feature, the signer certificate must have the same subject name and alternate subject name as the requested certificate. To circumvent this requirement, set the value of the DisableRenewalSubjectNameMatch registry value to 0x1.
Note that for the certificate renewal the NDES deviates from SCEP specification and doesn’t verify that certificate being renewed has passed half of its validity period.
Some Information about our current environment:
Windows Server 2008 R2 Active Directory Certificate Services
- Root- / Issuing-architecture, Issuing-CA is an Enterprise CA
- Hotfix 353391 / KB2483564 installed http://support.microsoft.com/kb/2483564/en-us
Network Device Enrollment Services (on Issuing-CA)
- No Password (EnforcePassword = 0)
- Custom templates for CEP Encryption / Exchange Enrollment
- ATM testing with Default Templates CEP Encryption / Exchange Enrollment Agent (Computer)
Custom Device-Template
- Windows Server 2008, Duplicate of IPSec(OfflineRequest)
- RSA 4096, SHA256
- Subject name = Supply in request & Use subject information from existing certificates)
- Issuing requirements: CA certifiate manager approval, For reenrollment valid existing certificate
- NDES account= Read/Enroll
What we already tried
- Using different subject names in the request (with / without serial number)
- Enabling the DisableRenewalSubjectNameMatch - switch
- Deactivating the "Use subject information from existing certificates" - switch
- Switching the device template to SHA1
Maybe someone has an idea, what could be the problem.
Thanks,
MMF