0

If I submit the same CSR file twice to my Active Directory Certificate Services (online via the certsrv web interface), I am issued two different certificates (judging by the serial numbers).

Is there a way to configure ADCS to only allow a single certificate for a particular subject at a time? In other words, if AD already has a certificate for foo.example.com that hasn't been expired or revoked, and someone submits another CSR for foo.example.com, I want ADCS to either return the existing certificate or refuse to generate a new one.

There's an option on the certificate template called [] Do not automatically reenroll if a duplicate certificate exists in Active Directory that I thought would do this, but apparently not.

Improve this question

1 Answer 1

Reset to default
2

Is there a way to configure ADCS to only allow a single certificate for a particular subject at a time?

no, there is no way to do this on CA side, it is not CA responsibility. If request passes all validation checks, it results in issued certificate.

Do not automatically reenroll if a duplicate certificate exists in Active Directory

this setting is used exclusively by certificate autoenrollment component and used only for user encryption certificates that are published in AD.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .