If I submit the same CSR file twice to my Active Directory Certificate Services (online via the certsrv web interface), I am issued two different certificates (judging by the serial numbers).
Is there a way to configure ADCS to only allow a single certificate for a particular subject at a time? In other words, if AD already has a certificate for foo.example.com
that hasn't been expired or revoked, and someone submits another CSR for foo.example.com
, I want ADCS to either return the existing certificate or refuse to generate a new one.
There's an option on the certificate template called [] Do not automatically reenroll if a duplicate certificate exists in Active Directory
that I thought would do this, but apparently not.