[MS-WCCE] §3.2.2.6.2.1.4.5.7 CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT question

Vadims Podāns 9,111 Reputation points MVP
2022-01-12T18:48:22.11+00:00

I have a question on CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT flag processing rule as outlined in [MS-WCCE] §3.2.2.6.2.1.4.5.7

The document says that:

The CA MUST ignore the CT_FLAG_PEND_ALL_REQUESTS flag.

However, my recent tests show opposite: if both, CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT and CT_FLAG_PEND_ALL_REQUESTS set, later flag wins, i.e. renewal request (as per [MS-WCCE] §3.2.1.4.2.1.4.2.2) is put to pending request state. Either, it is a bug in ADCS implementation (which implements [MS-WCCE] and [MS-CRTD]), or it is doc bug and CT_FLAG_PEND_ALL_REQUESTS is always enforced and cannot be overridden by CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT.

Can you clarify where is the problem? In ADCS implementation or in MS-WCCE docs?

Windows Open Specifications
Windows Open Specifications
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.Open Specifications: Technical documents for protocols, computer languages, standards support, and data portability. The goal with Open Specifications is to help developers open new opportunities to interoperate with Windows, SQL, Office, and SharePoint.
39 questions
Accepted answer
  1. Obaid Farooqi MSFT 511 Reputation points Microsoft Employee
    2022-03-10T18:41:32.987+00:00

    Forum update:
    This issue is now resolved.
    The reason the renewal is pending is that the CA expect the SubjectAltName in the previously issued certificate to be either of type cert_alt_name_other_name or cert_alt_name_rfc822_name. The name in the previously issued certificate is of type dns name. For this reason, the renewal gets pended. The document is correct as far as the flags priority is concerned. A bug has been filed against MS-WCCE to add the subjectAltName requirements for renewal.

    Regards,
    Obaid Farooqi - MSFT

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vadims Podāns 9,111 Reputation points MVP
    2022-01-13T09:41:26.343+00:00

    Attaching sample CMC renewal request used in tests. Request was put in pending state although the template setting has enabled CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT flag. Unfortunately, the file upload control is broken on forums, so pasting its content directly: 

    -----BEGIN NEW CERTIFICATE REQUEST-----
MIIOqgYJKoZIhvcNAQcCoIIOmzCCDpcCAQMxCzAJBgUrDgMCGgUAMIIHswYIKwYB
BQUHDAKgggelBIIHoTCCB50wVTBTAgECBggrBgEFBQcHCDFEMEICAQAwAwIBATA4
MDYGCSsGAQQBgjcVBwQpMCcGHysGAQQBgjcVCImQBoO+uDuHwY8PhLjyKoHh71Ul
ARwCAXACAQAwggc+oIIHOgIBATCCBzMwggacAgEAMAAwgZ8wDQYJKoZIhvcNAQEB
BQADgY0AMIGJAoGBALGevv4NqrgOrWvSaGTQEJf6Jj/pQtqBn4J1MTDg2M0TupK6
2kWUzbLB1tmGww1tMHV4bbZjReXJD5p+tcCSKRrNnDqDD9PWtUJCgLKCDMW2cJ7E
fKzIFWGVCiUiPaHaaa1cu07FspgnCqF1akDXK5ubnvAvfzedtGe4h/PL/IOhAgMB
AAGgggXxMBoGCisGAQQBgjcNAgMxDBYKNS4yLjM3OTAuMjA+BgkrBgEEAYI3FRQx
MTAvAgEBDA9EQzEuY29udG9zby5jb20MDENPTlRPU09cREMxJAwLc3ZjaG9zdC5l
eGUwdgYJKoZIhvcNAQkOMWkwZzAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0OBBYEFAby
O0VSfkvQj9AxGvOGXSXujHYXMDYGCSsGAQQBgjcVBwQpMCcGHysGAQQBgjcVCImQ
BoO+uDuHwY8PhLjyKoHh71UlARwCAXACAQAwgf0GCisGAQQBgjcNAgIxge4wgesC
AQEeWgBNAGkAYwByAG8AcwBvAGYAdAAgAFIAUwBBACAAUwBDAGgAYQBuAG4AZQBs
ACAAQwByAHkAcAB0AG8AZwByAGEAcABoAGkAYwAgAFAAcgBvAHYAaQBkAGUAcgOB
iQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMIIEGQYJ
KwYBBAGCNw0BMYIECjCCBAYwggLuoAMCAQICExYHCAkBAgMEBQYHCAkABAAPRbgw
DQYJKoZIhvcNAQELBQAwRzETMBEGCgmSJomT8ixkARkWA2NvbTEXMBUGCgmSJomT
8ixkARkWB2NvbnRvc28xFzAVBgNVBAMTDmNvbnRvc28tREMyLUNBMB4XDTIyMDEx
MjE2NTkyN1oXDTIzMDExMjE2NTkyN1owADCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEAxlPRfx/zJZ6eFAzhtmXRnMaxQTiNgHAadYQ8TcHyrLGiWDOR6W1jiiEf
hriuYbDHEDATuFw/s+BCLn+e9Gk+Hipm+aO1K8NxnWrMkU2wyaEBJAqxm57LQPfo
RvDE1vqAHrM78A85um56hNvgmKGMNf3Y9SRFsafUxmYpdY8XihUCAwEAAaOCAbQw
ggGwMDUGCSsGAQQBgjcVCgQoMCYwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwEwDAYK
KwYBBAGCNxQCAjA2BgkrBgEEAYI3FQcEKTAnBh8rBgEEAYI3FQiJkAaDvrg7h8GP
D4S48iqB4e9VJQEcAgFvAgEAMG0GCCsGAQUFBwEBBGEwXzA0BggrBgEFBQcwAoYo
aHR0cDovL3d3dy5jb250b3NvLmNvbS9wa2kvZGMyaWNhKDQpLmNydDAnBggrBgEF
BQcwAYYbaHR0cDovL2RjMi5jb250b3NvLmNvbS9vY3NwMB0GA1UdDgQWBBSTA+0+
ZjcAdbUIohg46luLJE8CRjALBgNVHQ8EBAMCBaAwHQYDVR0RAQH/BBMwEYIPREMx
LmNvbnRvc28uY29tMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly93d3cuY29udG9z
by5jb20vcGtpL2RjMmljYSg0KS5jcmwwHwYDVR0jBBgwFoAUWyIEl7c3FCe0KfF8
2QwEj2XhhXAwKQYDVR0lBCIwIAYIKwYBBQUHAwIGCCsGAQUFBwMBBgorBgEEAYI3
FAICMA0GCSqGSIb3DQEBCwUAA4IBAQAm8/4c7togtER8MZwiWP77HgT9jtiUO6xP
PloD+BGTC6GhgaGmBDKYwUCMPN5d2DhvVinRNvOTRq27FEHDewhOoldtoPdEyDwA
OVrNA3EUQslBoJi3d4Etdy2NwxI32ghC4rxH2vQnjJHt83Y6AMrUYnXDPTAtq8GV
M9KxlW2yAe54wLZI/kkzUqA9CQXnw2nxXGnDel+fFJoZu3B+XQFmy3h5jrSCACrl
FnNEJKnoUoLPMuWkyfUgA3+3KzacBC+JS/MsA6RDfEqzS8vaFLPQRMMeR5R+pC27
KnSamdyl7mrIByCltuu6jqsq9ZsuIXk13v/wJP45dwynvXUmJQOIMA0GCSqGSIb3
DQEBBQUAA4GBAKfqMWJu1W1TNT5Rrj0nLNSPWBlXNtD0gghuH+8D4gXTPH0htDlW
O0MLW8aHVRJ5Pq1rDTukZXCKFceQE9KXgoUnqCCWS5p2dFlEWPVTDiGi1G/7mn76
tdEne1B1Wdz7QfuQb/AGW2s2Su6tDrQ0SpoMNwJVTfu58fB8kvtIENPtMAAwAKCC
BAowggQGMIIC7qADAgECAhMWBwgJAQIDBAUGBwgJAAQAD0W4MA0GCSqGSIb3DQEB
CwUAMEcxEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdjb250
b3NvMRcwFQYDVQQDEw5jb250b3NvLURDMi1DQTAeFw0yMjAxMTIxNjU5MjdaFw0y
MzAxMTIxNjU5MjdaMAAwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMZT0X8f
8yWenhQM4bZl0ZzGsUE4jYBwGnWEPE3B8qyxolgzkeltY4ohH4a4rmGwxxAwE7hc
P7PgQi5/nvRpPh4qZvmjtSvDcZ1qzJFNsMmhASQKsZuey0D36EbwxNb6gB6zO/AP
ObpueoTb4JihjDX92PUkRbGn1MZmKXWPF4oVAgMBAAGjggG0MIIBsDA1BgkrBgEE
AYI3FQoEKDAmMAoGCCsGAQUFBwMCMAoGCCsGAQUFBwMBMAwGCisGAQQBgjcUAgIw
NgYJKwYBBAGCNxUHBCkwJwYfKwYBBAGCNxUIiZAGg764O4fBjw+EuPIqgeHvVSUB
HAIBbwIBADBtBggrBgEFBQcBAQRhMF8wNAYIKwYBBQUHMAKGKGh0dHA6Ly93d3cu
Y29udG9zby5jb20vcGtpL2RjMmljYSg0KS5jcnQwJwYIKwYBBQUHMAGGG2h0dHA6
Ly9kYzIuY29udG9zby5jb20vb2NzcDAdBgNVHQ4EFgQUkwPtPmY3AHW1CKIYOOpb
iyRPAkYwCwYDVR0PBAQDAgWgMB0GA1UdEQEB/wQTMBGCD0RDMS5jb250b3NvLmNv
bTA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vd3d3LmNvbnRvc28uY29tL3BraS9k
YzJpY2EoNCkuY3JsMB8GA1UdIwQYMBaAFFsiBJe3NxQntCnxfNkMBI9l4YVwMCkG
A1UdJQQiMCAGCCsGAQUFBwMCBggrBgEFBQcDAQYKKwYBBAGCNxQCAjANBgkqhkiG
9w0BAQsFAAOCAQEAJvP+HO7aILREfDGcIlj++x4E/Y7YlDusTz5aA/gRkwuhoYGh
pgQymMFAjDzeXdg4b1Yp0Tbzk0atuxRBw3sITqJXbaD3RMg8ADlazQNxFELJQaCY
t3eBLXctjcMSN9oIQuK8R9r0J4yR7fN2OgDK1GJ1wz0wLavBlTPSsZVtsgHueMC2
SP5JM1KgPQkF58Np8Vxpw3pfnxSaGbtwfl0BZst4eY60ggAq5RZzRCSp6FKCzzLl
pMn1IAN/tys2nAQviUvzLAOkQ3xKs0vL2hSz0ETDHkeUfqQtuyp0mpncpe5qyAcg
pbbruo6rKvWbLiF5Nd7/8CT+OXcMp711JiUDiDGCAr4wggE2AgEDgBQG8jtFUn5L
0I/QMRrzhl0l7ox2FzAJBgUrDgMCGgUAoH4wFwYJKoZIhvcNAQkDMQoGCCsGAQUF
BwwCMCMGCSqGSIb3DQEJBDEWBBSKsjsejZziWw+FwNU0yMZcFVxzcTA+BgkrBgEE
AYI3FRQxMTAvAgEBDA9EQzEuY29udG9zby5jb20MDENPTlRPU09cREMxJAwLc3Zj
aG9zdC5leGUwDQYJKoZIhvcNAQEBBQAEgYAOVszcd+Dykw/ZJMjrTS9sX9zvu9Db
r7Fc4SVVNG6hvPEFDrR0TUrUxRs7R9yyFDMXPKgvdtps+NK0XVVcu2u9wSvVGwln
8pJiAT8Hy8LmC8dOA4aZKuuQZZQpTK26OO+sVg6Q086gE4x2OtWW5B4Kkit8IlFO
wOFqFh78NZ28rjCCAYACAQEwXjBHMRMwEQYKCZImiZPyLGQBGRYDY29tMRcwFQYK
CZImiZPyLGQBGRYHY29udG9zbzEXMBUGA1UEAxMOY29udG9zby1EQzItQ0ECExYH
CAkBAgMEBQYHCAkABAAPRbgwCQYFKw4DAhoFAKB+MBcGCSqGSIb3DQEJAzEKBggr
BgEFBQcMAjAjBgkqhkiG9w0BCQQxFgQUirI7Ho2c4lsPhcDVNMjGXBVcc3EwPgYJ
KwYBBAGCNxUUMTEwLwIBAQwPREMxLmNvbnRvc28uY29tDAxDT05UT1NPXERDMSQM
C3N2Y2hvc3QuZXhlMA0GCSqGSIb3DQEBAQUABIGAc1odKBk29tGkjOAPVjldomEm
+xGiMzpBZRUmhvcy6XhMwZ5/ys7wnxmI64x7oQv08+/0C5xCB/hCyEOYDvhWWK2g
xIWq5uXGNq7pya5x+SSXHJNKxnSuhQ2GLbN4Ea2D4tjfm9IDyJWLoQFIyz9GkDvX
f5PkMyBIotzgYywRKRE=
-----END NEW CERTIFICATE REQUEST-----
    1 person found this answer helpful.
    0 comments
  2. Jeff McCashland 6 Reputation points
    2022-02-23T17:10:19.933+00:00

    Hi Crypt32,

    I was able to reproduce the result you reported where the certificate renewal request was unexpectedly pended even though CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT was set.

    Based on my analysis of the traces, the issue is not that the PREVIOUS_APPROVAL flag is not overriding PEND_ALL_REQUESTS, as the code does in fact attempt to do so. However, it is encountering an error (at least in my case) “Bad Renewal Name”. The name on the certificate is the DNS name DC01.lab.local. However it appears to be looking for a UPN rather than a DNS name.

    Best Regards,
    Jeff McCashland
    Microsoft Open Specifications