This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
I have a certificate template that is configured to apply the SAN in the request. This is required on a web server where the server name and the website name may be different (ie a clustered web server)
On the template in the Issuance Requirements I have configured to require a CA Certificate Manager Approval. The CA has been configured to only allow requests from a specific computer and only Domain/Enterprise Admins can approve the request.
The whole process works as I would expect.
On the Request Server a user requests the Certificate and completes the relevant information
A Domain Admin then approves the Certificate request on the Subordinate CA
The certificate is then issued to the client under Certificate Enrollment Requests
The issue that I do not understand is as follows
When I look at the certificate issued on the Subordinate CA everything looks correct. The issuing CA is the expected CA and it has a thumbprint of x
When I then look at the certificate on the host that has requested the Certificate in the Certificate Enrollment Requests everything looks correct, ie the EKU, Template information, SAN etc however the "Issued By" is set to the same as the "Issued To" and the thumbprint is completely different to the one on the CA.
If I remove the requirement for the approval from a CA Certificate Manager the issued certificate appears in the Computer\Personal Certificates exactly the same as its issued on the CA.
The major issue with this is that with CA Manager Approval the issued by is NOT the Subordinate CA and therefore there is no Certificate Chain, as such clients will not be able to validate this certificate. And if I remove the requirement to use the approval process I leave the template available to be compromised.
Does anyone have any suggestions as to what I am doing wrong, or is this expected behaviour? Thanks
Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.
Hello Emerson Kent,
Thank you for posting in Microsoft Community forum.
I have done a test in my lab, and I got the same result as you. It seems it is expected behavior.
I hope the information above is helpful.
If you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou
Thanks for looking Daisy
This doesnt feel like it should work like that though. This means that any issued certificates with manager approval are completely useless unless they are also added to the Root Certificate Store on every machine which completely goes against how you would configure Certificates in any environment.
There must be something that I am missing!
Hello
Good day!
I think you should copy the certificate in Issued Certificates container on CA to client machine and install it on client machine.
Best Regards,
Daisy Zhou
Hi,
Yes, I thought/tried that also. However you can only export the public key from the Issuing CA. The private key is in the Certificate that is issued to the client but the thumbprint and the Issued by are completely different in both certificates.
Hello
Greetings!
You can try to export it as .pfx certificate.
Retrieve the certificate we just requested by running certreq -retrieve requestID (in my case, the command is certreq -retrieve 14).
Save as the .pfx certificate.
Best Regards,
Daisy Zhou
