Windows XP computer certificate renewal from MS W2k Enterprise CA

S

Scott

Renewed issuing Enterprise CA's certificate because it will run out in
6 weeks.
After updating the CA's certificate, I was expecting my domain member
Windows XP to renew their certificate automatically because the Group
Policy was created so that Win XP will autoenroll for their
certificate. Win XP originally receive their certificate from the CA
automatically via autoenrollment.

If the certificate has been renewed on CA, when does the Win XP
clients begin to renew their certificate? I thought it was 6 week
prior to expiration.

None of my Win XP clients are renewing their certificates. I run
gpupdate /force and made sure that the policy containing the
autoenroll executed.

Only way so far was to manually go on the Win XP, via certificate mmc
and do the manual renew.

Does autoenrollment work for renewing certificates?

Brand new machines without certificates gets their certificates
automatically. It's only the old machines with older certificates
which did not expire yet are not renewing.

Did anyone have the similar issue?

Thanks

Scott.
 
K

Kenny Wood

Hello Scott,

The re-enrollment process, due to expiry, only pertains to the object that owns the certificate. In
your case the CAs certificate was expiring, not the XP clients (as per the details below),
therefore the clients have not hit the trigger for re-enrollment. Since their certificate has not
expired, just a member in their issuing chain, they will not autoenroll.

If you want to force them to re-enroll, update the template version:

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/certenrl.mspx#XSLTsection1
29121120120

Thank you for your post.

Kenny Wood
CISSP, MCSE (+S, +M)
PSS Security
Microsoft Corporation
--

This posting is provided "AS IS" with no warranties, and confers no rights. Use of included
script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this message are best
directed to the newsgroup/thread from which they originated.
--------------------
| From: (e-mail address removed) (Scott)
| Newsgroups: microsoft.public.win2000.security
| Subject: Windows XP computer certificate renewal from MS W2k Enterprise CA
| Date: 18 Jul 2004 06:36:17 -0700
| Organization: http://groups.google.com
| Lines: 30
| Message-ID: <[email protected]>
| NNTP-Posting-Host: 192.208.34.36
| Content-Type: text/plain; charset=ISO-8859-1
| Content-Transfer-Encoding: 8bit
| X-Trace: posting.google.com 1090157797 25743 127.0.0.1 (18 Jul 2004 13:36:37 GMT)
| X-Complaints-To: (e-mail address removed)
| NNTP-Posting-Date: Sun, 18 Jul 2004 13:36:37 +0000 (UTC)
| Path: cpmsftngxa06.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!
newsfeed00.sul.t-online.de!t-online.de!news.glorb.com!postnews2.google.com!not-for-mail
| Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.security:29707
| X-Tomcat-NG: microsoft.public.win2000.security
|
| Renewed issuing Enterprise CA's certificate because it will run out in
| 6 weeks.
| After updating the CA's certificate, I was expecting my domain member
| Windows XP to renew their certificate automatically because the Group
| Policy was created so that Win XP will autoenroll for their
| certificate. Win XP originally receive their certificate from the CA
| automatically via autoenrollment.
|
| If the certificate has been renewed on CA, when does the Win XP
| clients begin to renew their certificate? I thought it was 6 week
| prior to expiration.
|
| None of my Win XP clients are renewing their certificates. I run
| gpupdate /force and made sure that the policy containing the
| autoenroll executed.
|
| Only way so far was to manually go on the Win XP, via certificate mmc
| and do the manual renew.
|
| Does autoenrollment work for renewing certificates?
|
| Brand new machines without certificates gets their certificates
| automatically. It's only the old machines with older certificates
| which did not expire yet are not renewing.
|
| Did anyone have the similar issue?
|
| Thanks
|
| Scott.
|
 
S

Scott

Ken,
Thanks for the explanation.
The link that you sent pertains to Windows 2003 CA server. I only
have Windows 2000 CA Server.
In Windows 2000, how do I update the template version number?

Thanks.

Scott.
 
M

Miha Pihler

Hi Scott,

You can only change templates on Windows 2003 CA if you have _enterprise_
version of Windows 2003!

Mike
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

CA Problems 6
Requesting Certificate from Subordinate CA 1
EFS Auto enroll 0
Offline Root CA - AutoEnrollment 4
Enterprise CA access 5
Renewing certificate 2
EFS certificate renewal 4
Group Policy for Computer Certificates 1

Top