you should not specify template name. This information should be extracted from existing certificate (since it is renewal process).My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Actiually you need to supply existing certificate thumbprint in the renewal INF file. It is enough. Everything else will be automatically extracted from existing certificate and placed in the renewal request.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Please help. We are trying automate the "renewal" of certificates for our thin clients at our remote location using a script and the certreq commands to pull a new cert from our central server CA. We are getting an error saying "the request contains conflicting template information ... Denied by Policy Module ...". Here is the script: $cert = Get-Childitem cert:LocalMachine\My #[string]$Subject = "CN=$Env:COMPUTERNAME,OU=Workstations,OU=Retail Store Equipment,DC=retail,DC=x,DC=com" [string]$Subject = "CN=$Env:COMPUTERNAME.retail.x.com" [string]$TemplateName = "Client Authentication Retail Desktops" [string]$CAName = "caserver1.wd.com\EnterpriseSubordinateCA-01" [string]$SAN = "$Env:COMPUTERNAME.retail.x.com" [string]$renewalCert = $cert.thumbprint remove-item C:\supusercert.inf -ErrorAction silentlycontinue -Force remove-item C:\supusercert.req -ErrorAction silentlycontinue -Force remove-item C:\usercert.req -ErrorAction silentlycontinue -Force add-content C:\supusercert.inf "[NewRequest]`r MachineKeySet=true`r RequestType=CMC`r RenewalCert=$renewalCert`r Silent=true`r Subject=`"$Subject`"`r UseExistingKeySet=TRUE`r [Extensions]`r 2.5.29.17 = `"{text}`"`r _continue_ = `"DNS=$SAN`"`r" certreq -new C:\supusercert.inf C:\usercert.req certreq -submit -config "$CAName" C:\usercert.req C:\New.cer certreq -accept C:\New.cer

We have tried that and now we are getting another error ... "The DNS name in unavailable and cannot be added to the Subject Alternate name ... Denied by Policy Module" ... but the hostnames are resolvable in DNS. Ant help would be much appreciated.

you should not specify template name. This information should be extracted from existing certificate (since it is renewal process).My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Thanks, Vadims. Would you be kind enough to give me some guidance on how to extract the information from the existing cert and what information I need to extract using the script and certreq commands. Thanks again.

Actiually you need to supply existing certificate thumbprint in the renewal INF file. It is enough. Everything else will be automatically extracted from existing certificate and placed in the renewal request.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Thanks. I will try that.