[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 587
  • Last Modified:

Configuring certificate approval on a Windows internal CA

I have an enterprise CA installed in my Windows organization but for some reason users are able to request User Certificates and automatically install the certificate without an administrator first approving the request. How can I configure the existing User Certificate or all requested certificates by end users to fall in the pending folder so that an administrator first review the request and then issue the certificate if the request is valid?

Thank you,
  • 2
1 Solution
By default, users and computers can request certificates, and they will be automatically approved.  To change this behavior, you are going to have to modify the template.  In reality however, one does not modify a template, but creates a new one based on the original template.

Open up Certification Authority MMC on your CA
Go to Certificate Templates
Right click Certificate Templates, and then select "Manage"
Find the base template (for example User or Computer), right click and select "Duplicate Template".
When prompted for Windows Server 2003 Enterprise or Windows Server 2008 Enterprise, choose the default (2003 Enterprise).  This is just for backwards compatibility.
Give your new template a unique display name and name
Make your necessary changes, changing "Issuance Requirements" to require CA certificate manager approval (see image)
CA certificate manager approval
Once you've created your new templates, deactivate your old ones, and then add the new ones.  Do this by:

Close your Certificate Templates Console
Go back to the Certification Authority MMC
Go to Certificate Templates
Right click Computer -> Delete (assuming you are replacing this template)
Right click User -> Delete (assuming you are replacing this template)
Right click Certificate Templates, select New and Certificate Template to Issue.  Here you can add the new templates you've created.

NOTE: Deleting templates from "Certificate Templates" only deletes the templates from the available templates of the Certificate Authority.  It does not delete them permanently.  You can always re-add the original User and Computer certificate templates if you wish.
serg2626Author Commented:
Excellent! It worked. Thank you for the clear instructions!
Glad to have been of assistance.  I find clear, concise instructions very helpful, which is why I try to do it for others :)

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now