generally the problem and theoretical solution is answered in this thread http://social.technet.microsoft.com/forums/en-us/winserversecurity/thread/F1593BD0-1476-4772-AA5E-1C0ECA65F0A0 the problem is, that is does not work /: environment: w2k8 R2 ent, template with manager approval and without 'publish in AD' [but i've tested with publish as well], client on w7. scenario: user request for the certificate, it appears in 'pending request', manager approves the cert, in appears in issued certificates. on the client machine in 'Certificate enrollment requests' i may find the req problem: how user may finish the request without additional cert manager action? i know that if cert manager will export the certificate and send it to the user, (s)he may install it and it works. but it requires additional communication channel - and most important - additional information about user - phone,email or such. if the certificate template do not have email included the scenario for administator is getting hard: - check user name - find used in AD - check email/phone some other - contact user - send certificate to the user with instructions - user may install certificate -o((: nExoR :))o-

in the Certificates MMC, select root node -> right-click -> All Tasks -> Automatically Enroll and Retrieve Certificates... HTH.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

you definitely did not read my post... moreover this option [same as certutil -pulse] is for 'autoenrollment' certificate. it's silly to grant 'autoenroll' for manager approved certificates-o((: nExoR :))o-

There is one way through certreq.exe but for that you need to know the RequestID of the pending certificate. If that is know then you can use certreq.exe -retrieve option to retrieve the pending certificate. Details can be found at: http://technet.microsoft.com/en-us/library/cc725793(v=ws.10).aspx Commands to run: certreq.exe -retrieve -config <CAConfig string> <RequestID> <OutPutCertFile.cer> This retrieve the issued certificate for RequestID into the file OutPutCertFile.cer Then the user must type: certreq -accept <OutPutCertFile.cer> This will place the certificate in the current user's store. However, its recomended to request pended certificates via the Web enrollment Web pages, as through the web pages the client can track the status of the pending certificate.

Hi nExor, Does this solve your problem?

i'll be able to check it tomorrow-o((: nExoR :))o-

ok. i checked that and ... - not it does not solve my problem. it just learns me how to avoid it: - if someone started with the GUI it is not possible to retrieve certificate. i was not able to find a way to check RequestID from the user side. the only ways to proceed is administrator exports the binary certificate from CA and sends it back to the user. IMHO this is a bug in a GUI process. more precisely option 'automatically enroll and *retrieve* certificates' should be able to check request in 'Certificate enrollment Request' store and retrieve it from the server. thx for help. some bugs you just have to live with q:-o((: nExoR :))o-

Hi, One way is to check the event logs, when you request a certificate with pending status the requestid gets recorded at the following log path: Event Viewer> Windows Logs->Applications. From here you can get the request id and later when that certificate is issued by the CA admin, you can use certreq.exe -retrieve -config <CAConfig string> <RequestID> <OutPutCertFile.cer> and certreq -accept <OutPutCertFile.cer> to retrieve and install the certificate.