CES and CEP key based renewal – Subject Name formation

haroldpeters 21 Reputation points
2021-09-22T01:39:29.063+00:00

Hi,
According to the article here, it is required to have the certificate template setting “Supply in the request and Use subject information from existing certificates for autoenrollment renewal requests” in order to configure certificate key-based renewal via CEP and CES.

134110-1.png

Is it possible to issue the initial certificate by having Subject name via “Build from this Active Directory information” setting and for renewals use the key based authentication?

134145-2.png

The background to this question is, I have some technical user accounts (with Active Directory) where the initial certificate needs to be issued using AD information (Subject Name - Supply in the request is not an option here). Then these certificates will be exported out to some other non-domain joined machines where they will be used in some applications. So, the renewals need to happen in these non-domain joined machines.

Thanks

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,831 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,776 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 39,506 Reputation points
    2021-09-22T12:01:58.343+00:00

    Hello @haroldpeters ,

    Configure the template for key-based renewal.

    As a prerequisite, configure a CEP and CES server for username and password authentication. In this environment, we refer to the instance as "CEPCES01".

    Configure another CEP and CES instance by using PowerShell for certificate-based authentication on the same server. The CES instance will use a service account.

    In this environment, we refer to the instance as “CEPCES02”. The service account that’s used is ”cepcessvc”.

    Configure client-side settings.

    in order to execute the renewals within these non-domain joined machines. do follow the below link

    https://learn.microsoft.com/en-us/windows-server/identity/solution-guides/certificate-enrollment-certificate-key-based-renewal

    Hope this answers all your queries, if not please do repost back.
    If an Answer is helpful, please click "Accept Answer" and upvote it : )

    0 comments No comments