Server Authentication Certificate Template GPO Option Causes Duplicate Certificate Requests



If you’ve configured the Server Authentication Certificate Template GPO option, which determines the certificate that the machine uses for Remote Desktop connections, and applied it to 2008 R2 or older servers then you may find that you’re getting a lot of duplicate certificates being issued. It’s a problem with an easy solution but it’s not an obvious one.

You see, if you read the documentation for the setting (something which is helpfully not included in the GPO explanation text in the GPMC) you’ll soon discover that:

Important
You must set the certificate template’s attributes Template display name and Template name to the same value.

Due to a disparity in the way the API checks to see if a certificate already exists on the machine for this purpose if the Template Name is not the same as the Template Display name it fails to identify that it already has a matching certificate and so requests a new one.

This problem is resolved in Server 2012 R2. It’s possibly resolved in Server 2012 as well but I don’t have a box to hand I can test with.

As far as I can tell the “Do not automatically reenroll if a duplicate certificate exists in Active Directory” option has no impact on this issue.

One Reply to “Server Authentication Certificate Template GPO Option Causes Duplicate Certificate Requests”

  1. Hi,

    This has proven quite helpful as we are experiencing the same issue in a company I have recently joined. The display name has a space in the text whereas the template name does not.

    I am hoping that the fix will only involve having to remove the space from the display name so that both attributes match.

Leave a Reply

Your email address will not be published. Required fields are marked *