question

Shaan-1220 avatar image
0 Votes"
Shaan-1220 asked LimitlessTechnology-2700 answered

Issue with certificate renewal via autoenrollment

Hi All,

We have configured Autoenrollment of certificates via GPO to issue the email encryption certificates. But recently we have started observing the issues with renewal of the certificate. When the previously issued certificate is in renewal window we are seeing the certificate getting renewed in CA, but it's not installing on the user machine. Hence, we have to recover the new certificate from CA db and hand over to the users. Since the old certificate reaches renewal window, as part of Microsoft default behavior the old certificate is marked as "archived" and users are not able to send new encrypted email until we provide the PFX file manually.

Could you please help me to identify why the renewed certificate is not installing on the user machines automatically?

Thanks,
Shaan

windows-serverwindows-group-policywindows-server-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

cthivierge avatar image
0 Votes"
cthivierge answered

Look in the Applications and Services Logs / Microsoft / Windows / CertificateServicesClient-Licecycle-User on the client computer. You may have more informations

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hello @Shaan-1220,

Before you perform this procedure, you must configure a server certificate template by using the Certificate Templates Microsoft Management Console snap-in on a CA that is running AD CS.

Membership in both the Enterprise Admins and the root domain's Domain Admins group is the minimum required to complete this procedure.

Please do check the CertificateServicesClient-Licecycle-User under Service logs for more information and a better understanding

Do have a look at the below link for ideas about Configuring certificate auto-enrollment

https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment



Hope this answers all your queries, if not please do repost back.
If an Answer is helpful, please click "Accept Answer" and upvote it : )

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.