Vadims, Thanks. I guess I failed to mention, our internal workflow application will only be used for machine certificates (SSL). More specifically the system will be used by non-Microsoft clients that cannot utilize auto-enrollment or Microsoft systems that will require SAN in the certificate. All user certificates will be auto-enrolled and machines that can utilize DN in AD will auto-enroll. Regards, Paul in that case you need to add previous user's mailbox to a new user, so he/she can receive certificate expiration reminders. You cannot modify existing data in DB.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Vadims, Thanks. How do I specify them either within request or via request attributes? -Paul

why do you need this? An application provides attributes as necesary to provide some additional information about the request. And CA server use this information during certificate issuance. Attributes are necessary only if the original request doesn't contains them. If no additional information is necessary, attributes are not passed.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

My company is in the process of deploying an internal PKI. We will manage certificates (submission, issuance, revokation, etc.) via a custom, internally written workflow application. Once of the things we will request via a webform during certificate request is Requestor First Name, Requestor Last Name. We would like to have our workflow populate these fields in CA DB with this information in the already defined CA DB fields. There will also be the occassion where an original requestor will leave the company prior to that certificate needing to be replaced. When we attempt to notify the user (who no longer exists) that his/her certificate is about to expire, that notification will fail. Therefore, we would like to be able to modify the original requestor email with that persons replacement or manager. Thanks, Paul

Requester account name is populated by default in CA database (Request.RequesterName column). There is no need to populate addtional information to CA database. > There will also be the occassion where an original requestor will leave the company prior to that certificate needing to be replaced. When we attempt to notify the user (who no longer exists) that his/her certificate is about to expire, that notification will fail. Therefore, we would like to be able to modify the original requestor email with that persons replacement or manager. you missed one point. If a user leaves a company, all his/her active certificates (including signing and authentication) must be revoked. If a user held Key Recovery Agent role, he/she must transfer KRA certificate (with associated private keys) to a responsible employee (for example, to his/her manager). New employee should receive a new set of policy defined certificates. I think, you need to review existing AD CS functionality, certificate lifecycle and use Active Directory information for accounting purposes.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Vadims, Thanks. I guess I failed to mention, our internal workflow application will only be used for machine certificates (SSL). More specifically the system will be used by non-Microsoft clients that cannot utilize auto-enrollment or Microsoft systems that will require SAN in the certificate. All user certificates will be auto-enrolled and machines that can utilize DN in AD will auto-enroll. Regards, Paul

Vadims, Thanks. I guess I failed to mention, our internal workflow application will only be used for machine certificates (SSL). More specifically the system will be used by non-Microsoft clients that cannot utilize auto-enrollment or Microsoft systems that will require SAN in the certificate. All user certificates will be auto-enrolled and machines that can utilize DN in AD will auto-enroll. Regards, Paul in that case you need to add previous user's mailbox to a new user, so he/she can receive certificate expiration reminders. You cannot modify existing data in DB.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Within the CA Console, there are many columns to include in the display of the various types of certificates. Many of the columns when included in the view do not have values. Why? Is there a way to include or add a value? Example: Request First Name, Request Last Name Thanks, Paul

This is because certain fields does not contain any values (within request or request attributes).My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki