I had been thinking about compiling a list of PKI references. However, I noticed Kurt Hudson has already done this work. So, if you are looking for a great list of PKI resources, here you go: http://social.technet.microsoft.com/wiki/contents/articles/windows-pki-documentation-reference-and-library.aspx

One headache for System Administrators has been renewing certificates generated from Offline Templates. Relief from this arduous task is available in Windows Server 2008 R2.

Certificate Templates that are configured so that the requestor must provide the identity in the request are called "Offline" Certificate Templates. And one of the disadvantages to “Offline” Certificate Templates is that they could not be used with Autoenrollment.

If you take a look at the subject tab of a Version 2 or Version 3 Certificate Template you will notice two settings. The first setting is Supply in the request. The second setting isBuild from this Active Directory information. To enable auto enrollment this second setting must be configured on the Certificate Template. And it makes sense. If you are going to be automatically provisioning certificates you would need to pull the identity information from somewhere, in order to determine what the Subject or Subject Alternative Name (SAN) for a certificate would be. And that is exactly what the Certification Authority does for auto enrolled certificates.