Automatically Renew User Certificates from Inhouse CA?

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi Everyone,

I'm running a Win2k CA inhouse tied directly into Active Directory. In
order to make use of EAP/TLS over VPN, I've logged onto local user's
laptops, and downloaded user certificates for them from the CA webpage
onto their laptops, and they use these certs when connecting through
the VPN.

The issue is this... The certificates are only good for 1 year. They
do not renew themselves when they expire, and basically lock the person
out from even using EAP/TLS over VPN after they expire.

In order to get them working again, we have to manually browse over to
the CA webpage, and download a new user cert all over again, deleting
the old one that still sitting there, expired.

Is there anyway to automatically make these user certs renew, or
possibly force a renewal of that user cert on that machine?

I would appreciate your advice! :)


Thank you,
Mike
6 answers Last reply
More about automatically renew user certificates inhouse
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    <mvanzwieten@gmail.com> wrote in message
    news:1111692873.404369.127030@g14g2000cwa.googlegroups.com...
    > Hi Everyone,
    >
    > I'm running a Win2k CA inhouse tied directly into Active Directory. In
    > order to make use of EAP/TLS over VPN, I've logged onto local user's
    > laptops, and downloaded user certificates for them from the CA webpage
    > onto their laptops, and they use these certs when connecting through
    > the VPN.

    (Most) Auto-enrollment and Auto-Renewal are new
    to Win2003, so take a look Chris post which discusses
    infrastructure requirements in more detail.

    I believe you will find that unless you have Win2003,
    that you will not be able to do auto-renewal.
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    If your computers are joined to the domain, and sometimes connect to the
    network, you can use Group Policy and autoenrollment to push certs.

    The autoenrollment feature has several infrastructure requirements. These
    include:

    .. Windows Server 2003 schema and Group Policy updates

    .. Windows 2000 Server domain controllers running Service Pack 3 or later

    .. Windows XP Professional or Windows Server 2003 clients

    .. Windows Server 2003, Enterprise Edition or Datacenter Edition running as
    an Enterprise CA


    --
    Regards
    Christoffer Andersson
    Microsoft MVP - Directory Services

    No email replies please - reply in the newsgroup
    ------------------------------------------------
    http://www.chrisse.se - Active Directory Tips

    <mvanzwieten@gmail.com> skrev i meddelandet
    news:1111692873.404369.127030@g14g2000cwa.googlegroups.com...
    > Hi Everyone,
    >
    > I'm running a Win2k CA inhouse tied directly into Active Directory. In
    > order to make use of EAP/TLS over VPN, I've logged onto local user's
    > laptops, and downloaded user certificates for them from the CA webpage
    > onto their laptops, and they use these certs when connecting through
    > the VPN.
    >
    > The issue is this... The certificates are only good for 1 year. They
    > do not renew themselves when they expire, and basically lock the person
    > out from even using EAP/TLS over VPN after they expire.
    >
    > In order to get them working again, we have to manually browse over to
    > the CA webpage, and download a new user cert all over again, deleting
    > the old one that still sitting there, expired.
    >
    > Is there anyway to automatically make these user certs renew, or
    > possibly force a renewal of that user cert on that machine?
    >
    > I would appreciate your advice! :)
    >
    >
    > Thank you,
    > Mike
    >
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Thanks Chris... Yeah, I haven't found any documentation supporting
    Win2k certificate servers of being able to autoenroll... I did find
    docs on how to do that with Win2k3 servers. If you know something I
    don't about autoenrolling actual user certificates using Win2k server,
    please let me know! Thanks again.

    Mike.
  4. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Thanks Herb. I'm going to have to draw up some procedures for users to
    do this themselves, and for those who have a cow with it, I'm going to
    have to extract the cert for them, and email it to them... with
    instructions on how to install/remove the old one. <sigh> Win2k cert
    services really is a pain in the kiester. :)
  5. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    <mvanzwieten@gmail.com> wrote in message
    news:1112044616.974944.268840@f14g2000cwb.googlegroups.com...
    > Thanks Chris... Yeah, I haven't found any documentation supporting
    > Win2k certificate servers of being able to autoenroll... I did find
    > docs on how to do that with Win2k3 servers. If you know something I
    > don't about autoenrolling actual user certificates using Win2k server,
    > please let me know! Thanks again.

    It is a documented NEW FEATURE of Win2003.
  6. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    <mvanzwieten@gmail.com> wrote in message
    news:1112048318.889411.210520@g14g2000cwa.googlegroups.com...
    > Thanks Herb. I'm going to have to draw up some procedures for users to
    > do this themselves, and for those who have a cow with it, I'm going to
    > have to extract the cert for them, and email it to them... with
    > instructions on how to install/remove the old one. <sigh> Win2k cert
    > services really is a pain in the kiester. :)


    Win2003 is your friend. <GRIN>

    It is really just NT 5.2.

    I still think both Microsoft and customers would be better
    off if the names had never been changed...

    NT 5.2 Windows Server 2003
    NT 5.1 Windows XP
    NT 5.0 Windows 2000
    etc....
Ask a new question

Read More

vpn Active Directory Windows