When do ad certificates get renewed

[David Beaven]

We have an enterprise CA issuing computer certificates to client computers
with a validity period of one year. When will the certificate get reissued
(i.e how long before the certifcate expires)

What happens if a vpn user doesn't connect for say a week while away from
the office - I assume their certificate will expire and then they will be
prevented from forming the l2tp-ipsec connection needed to connect to ad to
get the new certificate
Thanks
David

 

[Teething]

The cert will be good until the expiry date.

After a ticket expires, it is added to the CRL. Once added to the CRL,
when that ticket tries to authenticate (depending on your domain
policies) it can be autorenewed or you will have to have the client PC
request a new cert manually.

 

[Paul Adare - MVP - Microsoft Virtual PC]

microsoft.public.win2000.security news group, David Beaven

We have an enterprise CA issuing computer certificates to client computers
with a validity period of one year. When will the certificate get reissued
(i.e how long before the certifcate expires)

I'm assuming here that your CA is running on Windows Server 2003
Enterprise Edition and that you're referring to autoenrollment and
renewal. If so, then you'd need to look at the template that the
certificates are based upon. There is a Validity Period listed and a
Renewal Period. Clients will start attempting to renew the certificate
once they enter the renewal period.

What happens if a vpn user doesn't connect for say a week while away from
the office - I assume their certificate will expire and then they will be
prevented from forming the l2tp-ipsec connection needed to connect to ad to
get the new certificate

Correct. If the certificate has expired, they'll need some other method
to get a new one.


--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)

 

[Paul Adare - MVP - Microsoft Virtual PC]

the microsoft.public.win2000.security news group, Teething

The cert will be good until the expiry date.
Ture.


After a ticket expires, it is added to the CRL.

Not true. A CRL is a Certificate Revocation List. A revoked certificate
is not the same thing as an expired certificate, and expired
certificates are not added to the CRL. As a matter of fact, the opposite
is true. When a revoked certificate expires, it is removed from the CRL
one CRL publication period after its expiration.




--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)

 

[David Beaven]

Paul
Thanks for that.
See 'certificate autoenrollment in windows server 2003". The default for
most templates is a renewal period of six 6 weeks before expiration which
should do fine!
David

microsoft.public.win2000.security news group, David Beaven

We have an enterprise CA issuing computer certificates to client computers
with a validity period of one year. When will the certificate get reissued
(i.e how long before the certifcate expires)

I'm assuming here that your CA is running on Windows Server 2003
Enterprise Edition and that you're referring to autoenrollment and
renewal. If so, then you'd need to look at the template that the
certificates are based upon. There is a Validity Period listed and a
Renewal Period. Clients will start attempting to renew the certificate
once they enter the renewal period.

What happens if a vpn user doesn't connect for say a week while away from
the office - I assume their certificate will expire and then they will be
prevented from forming the l2tp-ipsec connection needed to connect to ad to
get the new certificate

Correct. If the certificate has expired, they'll need some other method
to get a new one.


--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)