The mystery of “Valid existing certificate” setting in ADCS certificate templates – demystified

This is a follow-up of “Certificate renewal request is placed in pending state when Valid Existing Certificate is selected in certificate template” blog post and final nail into the subject. Let’s re-iterate the problem. ADCS Certificate Templates provide configuration for issuance requirements, which allows you to forcibly put request in pending state (no automatic issuance)…

Read More

Certificate renewal request is placed in pending state when Valid Existing Certificate is selected in certificate template

PKI Solutions Logo

Hello S-1-1-0, here is a new blog post in a long time. Today I want to talk about the issue when “Valid existing certificate” does not bypass CA Manager approval and/or enrollment agent requirement during certificate renewal in Microsoft CA. In certificate template settings, Issuance Requirements we can configure additional requirements for enrollment and re-enrollment…

Read More

Name Constraints Extension

Naheed Jivani PKI Solutions Consultant

The Name Constraints extension indicates to the relying party what namespaces are acceptable for the various hierarchical name forms such as DN, DNS names, URL, IP address, RFC 822 names, UPN, etc.  The extension is only valid for a CA certificate.  There are two components for this as defined in https://tools.ietf.org/html/rfc5280#section-4.2.1.10 as: Permitted Subtree(s):  This…

Read More

Announcing the Online PKI Assessmental Portal

Guy on Laptop PKI Assessment Portal

I am extremely proud to announce that today we have launched our Online PKI Assessment Portal. This new service is the first of its kind to offer online, automated, self-paced review and assessments of Microsoft ADCS based PKIs. We have been performing onsite PKI Assessments for customers for years now. Typically focused on the design,…

Read More

You cannot download CA certificate from web enrollment pages

PKI Solutions Logo

As part of joining PKI Solutions, several blog posts from my old site are re-posted here for visibility and thoroughness. When you try to download CA certificate from web enrollment pages you get a prompt message with unreadable proposed file name: Do you want to save certnew_cer?ReqID=CACert&Renewal=1&Enc=bin (1,09 KB) from <ServerName> And when you press…

Read More