We have configured Autoenrollment of certificates via GPO to issue the email encryption certificates. But recently we have started observing the issues with renewal of the certificate. When the previously issued certificate is in renewal window we are seeing the certificate getting renewed in CA, but it's not installing on the user machine. Hence, we have to recover the new certificate from CA db and hand over to the users. Since the old certificate reaches renewal window, as part of Microsoft default behavior the old certificate is marked as "archived" and users are not able to send new encrypted email until we provide the PFX file manually.
Could you please help me to identify why the renewed certificate is not installing on the user machines automatically?