Hi Vadims ( @Vadims Podāns ),
I have read through all the documentation you wrote, including the comments and answers.
I am already familiarized with most of it (except for some details), since I implement/configure/use this on a daily basis at my customers.
To ensure I didn't miss something, I have again re-read the article https://www.sysadmins.lv/blog-en/certificate-autoenrollment-in-windows-server-2016-part-2.aspx, which has a more depth view on certificate autoenrollment processing rules.
My findings based upon your documentation
To summarize what I have understood from that article, as per your article under chapter "Automatic certificate renewal":
- In the first step, autoenrollment enumerates all existing certificates that use certificate templates and checks its validity.
- If existing certificate passes validation checks, autoenrollment examines whether certificate template is set up for autoenrollment.
- autoenrollment checks passes the certificate to certificate chaining engine (CCE) to determine its validity.
- If existing certificate’s validity meets renewal threshold, autoenrollment will submit renewal request to CA server.
All of the above applies to my case, except for one important thing (and I assume that that is the 'by design' you are refering to ): The certificates were initially manually enrolled, as they required input for the website names.
Our case of manually enrolled certificates
When I look further into the chapter "Renew manually enrolled certificates" I've read the following:
Manually enrolled certificate renewal if none of the following conditions are true:
2. Existing valid and non-expired certificate based on this certificate template is found.
I assume that the latter is the 'by design' part of the process you are referring to. Once the first certificate has been renewed, the condition applies and therefore other certificates based on the same template are archived.
Remaining question
I certainly understand that you call it 'by design' if at all this is the exact case you're addressing me too.
However, in my opinion, a design can contain flaws. Earlier you wrote:
"Autoenrollment never was designed to handle multiple certificates based on same template where autoenrollment is configured".
Although I now certainly understand this to be true, the original document you refer to was for XP and the article does not contain the specific condition you described. So I was wondering where you got this information, regarding the conditions, from?
My 2 cents about this condition
According to me this 'by design' issue is something which MS should look into, as certificate use (TLS...) and autoenrollment becomes increasingly popular for private websites in Enterprises. Webserver SSL certificates in these webfarms are being set up with loads of certificates which should be able to be autorenewed without any manual or scriptbased solution, since that is exactly the definition of the word 'Autorenewal'.
Last but not least
- Vadims (@vps ), I want to already thank you for pointing me in the right direction of your documentation, so I have some more understanding of the design.
- Towards Microsoft: Regarding the design, I certainly would be a happy customer if Microsoft was able to have a look at this specific condition and rework it, so these certificates with different identities are not archived/deleted but renewed.
Thanks!