Has anyone noticed that if you request a code signing template, the issued certificate is returned to the client with the 'issued by' refering to the subject? When you check on CA manager, the copy of thecertificate in the CA storeis correctly marked as being 'issued by' the CA. They are supposed to be the same certificate but they are different in that most important of aspects - it makes the issued certificate on the client worthless. I have checked this out with a number of clients (Vista, Win7 and Server 2008 itself) and they all produce the same error.Anthony Sheehy - MCP, MCITP

Hello,maybe you think about using the security forum for CA related questions:http://www.microsoft.com/communities/newsgroups/list/en-us/default.aspx?dg=microsoft.public.isaserverBest regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.

Hi, Ive moved the thread to security forum, for it is a PKI-related issue. As for the issue, I cannot reproduce it on my site. Please check the Issuer field value of the code signing certificate, is it equal to the Subject field value? You can run the command certutil store user MY on the client computer and export the output to this thread for research. I look forward to your response. Joson Zhou TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.comThis posting is provided "AS IS" with no warranties, and confers no rights.

especially please tell us:- what method do you use for the enrollment- could you please provide a screenshot- could you please give us a listing of CERTUTIL -verify the-signing-cert.cerand one note from myself - I have currently an issue with a public web site certificate, which has EMPTY SUBJECT at all. but only on my Windows 7 computer and another Widnows 2008. Others see it normally. Even CERTUTIL displays the subject as empty. The cert is signed, but not valid in browser due to the Subject name missing. May be, it is a similar issue.ondrej.

Does CodeSigning teplate in you environment require manual CA manager approval? If yes, in certmgr.mscyou should set on the top (Certificates - Current User), right-click and select All Tasks -> Automatially enroll and retrieve certificates. It looks like you see request certificate with private key (that was used to send request to CA).Ondrej, can you provide some examples about your issue?http://www.sysadmins.lv

Hi Anthony, Hows everything going? We have not heard back from you in a few days and wanted to check if you have time to collect the information. If there is anything unclear, please feel free to let us know. Thanks. Joson Zhou TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.comThis posting is provided "AS IS" with no warranties, and confers no rights.

Sorry about the delay, so many other bits and pieces going at the same time. Ever feel like you are juggling plates?here is a image of what I am talking about. The Cert on the left is what appears in Certificate Enrolment Requests after the certificate is issued. On the right is the certificate as held for the same request on the CA. In fact, it is not just the Issued from that's scrambled, it's the serial number andthe expiry date. The only thing that is not scrambled that is of use is the Key. My work around for this is to extract the key from the useless certificate and combine it with the cert on the CA.Jason, I all I get from certutil is C:\Users\anthony.sheehy>certutil -store -user MY MY CertUtil: -store command completed successfully. Vadims, Yes I require manual approval. I have tried auto-enrolment and the same issue occurs. RegardsAnthony Sheehy - MCP, MCITP

> in certmgr.mscyou should set on the top (Certificates - Current User), right-click and select All Tasks -> Automatially enroll and retrieve certificateshave you tried this?http://www.sysadmins.lv

Vadims, you stated "Does CodeSigning teplate in you environment require manual CA manager approval? If yes,..." 'If Yes' means that manual CA manager approval is required and the certificate does not auto-enroll. Therefore, "Automatically enroll and retrieve certificates" presents a blank page. I did change the template in the past to auto-enrol and try auto-enrollment, but the same issue occurs. Am I missing something really obvious?Anthony Sheehy - MCP, MCITP

I have asked about manager approval just to ensure if it is true.IIRC, when you use autoenrollment you will receive certificates at next logon after request approval. Looking at your screenshot I see that your request is sent to CA and is in pending state. And when CA manager approves this request, user will need to manually retrieve certificates.http://www.sysadmins.lv

I have asked about manager approval just to ensure if it is true.IIRC, when you use autoenrollment you will receive certificates at next logon after request approval. Looking at your screenshot I see that your request is sent to CA and is in pending state. And when CA manager approves this request, user will need to manually retrieve certificates. http://www.sysadmins.lv Tosupplement Vadims answer. Through autoenrollment you can request and obtain certificate, but the autoenrollment does not serve as a certificate issuing mechanism. Therefore if you have set require manaual CA manager approval option, then the workflow is as follows:Autoenrollment:1) automatically request a certificate for a user (on client side)2) manually approve the request by CA manager (CA side) (e.g. MMC CA console | Pending Request | select a proper request and choose All Tasks | Issue)3) automatically fetch the certificate (on client side)If autoenrollment is not involved, user needs togo throughthe steps 1 and 3 manually. Now it looks like you have done steps 1)perhaps 2) but your certificate is not installed corectly. To do this export the issued certificate from CA console and import it to personal store on client computer. You can export the certificate from CA console by opening MMC Certification Authority | Issued Certificates | select a proper certificate and open it, choose Details | Copy to file ...Best regardsMartin Rublik

Ok, there are some major misunderstandings here, and I think that a lot of it has to do with the terrible (IMO) UI for pending certificates in certmgr.msc. I'll try and layout the problems and misunderstandings here.UI Problem #1When one requests a certificate using certmgr.msc against a certificate template that requires Certificate Manager approval, a new node appears in certmgr.mc called Certificate Enrollment Requests with a child node called Certificates. When one selects the Certificates node, the status bar in certmgr.msc says, Certificate Enrollment Requests store contains (X) certificates where X is the number of requests.I'm sorry, but until the Certificate Manager approves the request, the CA issues the certificate, and the end user installs the certificate, what is on the local machine is not a certificate and should not be presented as such.UI Problem #2I'm checking with a contact at Microsoft, but so far I've not been able to work out a method to use certmgr.msc to retrieve the certificate once the Certificate Manager has approved the request and the CA has issued the request. I'll let you know what I find out in this regard.Misunderstanding.Anthony, as above, what you're seeing in certmgr.msc is not really a certificate, despite what the UI says, which is why you're seeing issues with the Subject/Issuer fields and with the serial number. It also explains why when you run the certutil -store -user MY command, no certificates are listed. At this point, you don't have any certificates in your local store.As for your comment about "... extract the key from the useless certificate and combine it with the cert on the CA" I have no idea what that means. What process exactly do you use to perform this action? You can't change or modify a certificate since a certificate is a signed object and any modifications to it would invaldiate the signature making the certificate useless.SummaryThe real issue to me here is once a request has been made for a certificate against a template that requires approval has been made with the certmgr.msc console, how does one then retrieve the issued certificate once approved? If, as I'm beginning to suspect, you can't actually use the console to retrieve the certificate then you should only use the web enrollment method for requesting certificates against templates that require approval.I'll repsond back when I hear more about the console.Paul Adare CTO IdentIT Inc. ILM MVP

Hi Anthony, Please note that the Certificate Enrollment Request container is used to store the pending or rejected certificate requests. As others mentioned, the cause is that the certificate has not been installed/imported into the Personal store of the user account. Thats why the MY store is empty. If the certificate has been issued (on the CA side), please retrieve and install it on the client computer. If there is anything unclear, please feel free to respond back. This posting is provided "AS IS" with no warranties, and confers no rights.

Thank you Paul,That has gonequite a long way towardsexplaining much of what I am seeing. In response to your question about how I extract the key, etc, see my blog entry here. The problem being (in response to Joson) that the certificate on CA does not contain the private key, which (if I understand correctly) is needed for code signing. However, on careful study of the two certificates, the key identifiers in both the aboveposted certificate examplesare identical. I can therefore use third party tools (openssl, etc.) to extract the private key and combine it with the certificate retrieved from the CA. But I must say, it is quite a long work around. A couple of notes: 1. I have had little sucess with the web interface, with standard users not being presented with the full list of certificate templates that they are allowed to request or enroll for. 2. I had not actually noticed the Certificate Request Node until after I approved the certificatea and refreshed the Certmgr tree. Hence my assumption that that whatI have been seeing is the issued certificate. I understand now that this is simply a request file (am I correct) as opposed to a certificate?Anthony Sheehy - MCP, MCITP

Thank you Paul,That has gonequite a long way towardsexplaining much of what I am seeing. In response to your question about how I extract the key, etc, see my blog entry here. The problem being (in response to Joson) that the certificate on CA does not contain the private key, which (if I understand correctly) is needed for code signing. However, on careful study of the two certificates, the key identifiers in both the aboveposted certificate examplesare identical. I can therefore use third party tools (openssl, etc.) to extract the private key and combine it with the certificate retrieved from the CA. But I must say, it is quite a long work around. A couple of notes: 1. I have had little sucess with the web interface, with standard users not being presented with the full list of certificate templates that they are allowed to request or enroll for. 2. I had not actually noticed the Certificate Request Node until after I approved the certificatea and refreshed the Certmgr tree. Hence my assumption that that whatI have been seeing is the issued certificate. I understand now that this is simply a request file (am I correct) as opposed to a certificate? Anthony Sheehy - MCP, MCITP You're welcome Anthony and I've been in contact with one of the PKI devs at Microsoft and have some more information. In the first place, I was incorrect when I stated that what you see in the Certificate Enrollment Requests node is really a request and not a certificate. What you see in that node is what Microsoft refers to as a "dummy" certificate and it is used to help retrieve the actual certificate from the CA. There are attributes on this dummy certificate that allow you to retrieve the real certificate from the CA and then to correctly associate the private key with the installed certificate. So, while I still think that the UI is not the best, the explanation I received does make a certain amount of sense. I'd still prefer to see the actual request in that node, rather than the dummy certificate and I've provided that feedback.As for your blog post, you're doing a lot more work than you really need to do. :-) Again, given the UI, totally understandable. There are a few ways to retrieve the actual certificate from the CA.1. Use certreq.exe -retrieve <request_id>. This will allow you to retrieve the approved certificate. Once you've done so, right-click the resulting file and choose Install. This will install the certificate into your local store and will associate the private key with the certificate.2. Use the Certification Authority console to save the approved certificate to a file and then import it.3. In the certmgr.msc console on the machine where you requested the certificate, right-click the Certificates - Current User node, point to All Tasks, and then click Automatically Enroll and Retrieve Certificates... This will allow you to use the console to get the certificate. Note that you need to have auto-enrollment enabled in Group Policy but apparently the certificate template does not need to be enabled for auto-enrollment.As an aside, from a security perspective, Code Signing certificates, due to their nature, should be considered to be "high-value" certificates and at the very least should be storedon a smart card or have their private keys protected by an HSM. Failing that, at a mimimum, it should be standard practice that oncesuch a certificate is used to sign some code, and is not going to be needed for a while, it should be exported toa PFX file, along with its private key and then be deleted from the local certificate store.One last thing to keep in mind with Code Signing certificates is that in the absence of a timestamping service, once the certificate expires, your clients will no longer accept the certificate and will start to throw errors when running code signed with it.Hope this helps.Paul Adare CTO IdentIT Inc. ILM MVP

Hi Anthony,How are you? I want to check the current status of the issue. Do the suggestions help? If you have any further questions or concerns, please feel free to respond back.Thanks.This posting is provided "AS IS" with no warranties, and confers no rights.

Thank you all for this. Yes it explains a lot.Anthony Sheehy - MCP, MCITP