How can we stop a repeated request for the same certificate in ADCS?

tjlds

6/6/24, 7:24 AM

If I submit the same CSR file twice to my Active Directory Certificate Services (online via the certsrv web interface), I am issued two different certificates (judging by the serial numbers).

Is there a way to configure ADCS to only allow a single certificate for a particular subject at a time? In other words, if AD already has a certificate for foo.example.com that hasn't been expired or revoked, and someone submits another CSR for foo.example.com, I want ADCS to either return the existing certificate or refuse to generate a new one.

There's an option on the certificate template called [] Do not automatically reenroll if a duplicate certificate exists in Active Directory that I thought would do this, but apparently not.

1 + 0

certificate

active-directory

ssl-certificate

certificate-authority

active-directory-adcs

Score:2

Server

Crypt32

6/6/24, 7:53 AM

Is there a way to configure ADCS to only allow a single certificate for a particular subject at a time?

no, there is no way to do this on CA side, it is not CA responsibility. If request passes all validation checks, it results in issued certificate.

Do not automatically reenroll if a duplicate certificate exists in Active Directory

this setting is used exclusively by certificate autoenrollment component and used only for user encryption certificates that are published in AD.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How can we stop a repeated request for the same certificate in ADCS?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.