Windows XP computer certificate renewal from MS W2k Enterp..

Toggle sidebar Toggle sidebar
S

Scott

Distinguished
Apr 1, 2004
1,356
0
19,280
Archived from groups: microsoft.public.win2000.security (More info?)

Renewed issuing Enterprise CA's certificate because it will run out in
6 weeks.
After updating the CA's certificate, I was expecting my domain member
Windows XP to renew their certificate automatically because the Group
Policy was created so that Win XP will autoenroll for their
certificate. Win XP originally receive their certificate from the CA
automatically via autoenrollment.

If the certificate has been renewed on CA, when does the Win XP
clients begin to renew their certificate? I thought it was 6 week
prior to expiration.

None of my Win XP clients are renewing their certificates. I run
gpupdate /force and made sure that the policy containing the
autoenroll executed.

Only way so far was to manually go on the Win XP, via certificate mmc
and do the manual renew.

Does autoenrollment work for renewing certificates?

Brand new machines without certificates gets their certificates
automatically. It's only the old machines with older certificates
which did not expire yet are not renewing.

Did anyone have the similar issue?

Thanks

Scott.
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Hello Scott,

The re-enrollment process, due to expiry, only pertains to the object that owns the certificate. In
your case the CAs certificate was expiring, not the XP clients (as per the details below),
therefore the clients have not hit the trigger for re-enrollment. Since their certificate has not
expired, just a member in their issuing chain, they will not autoenroll.

If you want to force them to re-enroll, update the template version:

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/certenrl.mspx#XSLTsection1
29121120120

Thank you for your post.

Kenny Wood
CISSP, MCSE (+S, +M)
PSS Security
Microsoft Corporation
--

This posting is provided "AS IS" with no warranties, and confers no rights. Use of included
script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this message are best
directed to the newsgroup/thread from which they originated.
--------------------
| From: scottklee@msn.com (Scott)
| Newsgroups: microsoft.public.win2000.security
| Subject: Windows XP computer certificate renewal from MS W2k Enterprise CA
| Date: 18 Jul 2004 06:36:17 -0700
| Organization: http://groups.google.com
| Lines: 30
| Message-ID: <a2222fb.0407180536.1c01f214@posting.google.com>
| NNTP-Posting-Host: 192.208.34.36
| Content-Type: text/plain; charset=ISO-8859-1
| Content-Transfer-Encoding: 8bit
| X-Trace: posting.google.com 1090157797 25743 127.0.0.1 (18 Jul 2004 13:36:37 GMT)
| X-Complaints-To: groups-abuse@google.com
| NNTP-Posting-Date: Sun, 18 Jul 2004 13:36:37 +0000 (UTC)
| Path: cpmsftngxa06.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!
newsfeed00.sul.t-online.de!t-online.de!news.glorb.com!postnews2.google.com!not-for-mail
| Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.security:29707
| X-Tomcat-NG: microsoft.public.win2000.security
|
| Renewed issuing Enterprise CA's certificate because it will run out in
| 6 weeks.
| After updating the CA's certificate, I was expecting my domain member
| Windows XP to renew their certificate automatically because the Group
| Policy was created so that Win XP will autoenroll for their
| certificate. Win XP originally receive their certificate from the CA
| automatically via autoenrollment.
|
| If the certificate has been renewed on CA, when does the Win XP
| clients begin to renew their certificate? I thought it was 6 week
| prior to expiration.
|
| None of my Win XP clients are renewing their certificates. I run
| gpupdate /force and made sure that the policy containing the
| autoenroll executed.
|
| Only way so far was to manually go on the Win XP, via certificate mmc
| and do the manual renew.
|
| Does autoenrollment work for renewing certificates?
|
| Brand new machines without certificates gets their certificates
| automatically. It's only the old machines with older certificates
| which did not expire yet are not renewing.
|
| Did anyone have the similar issue?
|
| Thanks
|
| Scott.
|
 
S

Scott

Distinguished
Apr 1, 2004
1,356
0
19,280
Archived from groups: microsoft.public.win2000.security (More info?)

Ken,
Thanks for the explanation.
The link that you sent pertains to Windows 2003 CA server. I only
have Windows 2000 CA Server.
In Windows 2000, how do I update the template version number?

Thanks.

Scott.



Kenwood@online.microsoft.com (Kenny Wood) wrote in message news:<KFL9AArcEHA.2064@cpmsftngxa06.phx.gbl>...
> Hello Scott,
>
> The re-enrollment process, due to expiry, only pertains to the object that owns the certificate. In
> your case the CAs certificate was expiring, not the XP clients (as per the details below),
> therefore the clients have not hit the trigger for re-enrollment. Since their certificate has not
> expired, just a member in their issuing chain, they will not autoenroll.
>
> If you want to force them to re-enroll, update the template version:
>
> http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/certenrl.mspx#XSLTsection1
> 29121120120
>
> Thank you for your post.
>
> Kenny Wood
> CISSP, MCSE (+S, +M)
> PSS Security
> Microsoft Corporation
> --
>
> This posting is provided "AS IS" with no warranties, and confers no rights. Use of included
> script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm
>
> Note: For the benefit of the community-at-large, all responses to this message are best
> directed to the newsgroup/thread from which they originated.
> --------------------
> | From: scottklee@msn.com (Scott)
> | Newsgroups: microsoft.public.win2000.security
> | Subject: Windows XP computer certificate renewal from MS W2k Enterprise CA
> | Date: 18 Jul 2004 06:36:17 -0700
> | Organization: http://groups.google.com
> | Lines: 30
> | Message-ID: <a2222fb.0407180536.1c01f214@posting.google.com>
> | NNTP-Posting-Host: 192.208.34.36
> | Content-Type: text/plain; charset=ISO-8859-1
> | Content-Transfer-Encoding: 8bit
> | X-Trace: posting.google.com 1090157797 25743 127.0.0.1 (18 Jul 2004 13:36:37 GMT)
> | X-Complaints-To: groups-abuse@google.com
> | NNTP-Posting-Date: Sun, 18 Jul 2004 13:36:37 +0000 (UTC)
> | Path: cpmsftngxa06.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!
> newsfeed00.sul.t-online.de!t-online.de!news.glorb.com!postnews2.google.com!not-for-mail
> | Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.security:29707
> | X-Tomcat-NG: microsoft.public.win2000.security
> |
> | Renewed issuing Enterprise CA's certificate because it will run out in
> | 6 weeks.
> | After updating the CA's certificate, I was expecting my domain member
> | Windows XP to renew their certificate automatically because the Group
> | Policy was created so that Win XP will autoenroll for their
> | certificate. Win XP originally receive their certificate from the CA
> | automatically via autoenrollment.
> |
> | If the certificate has been renewed on CA, when does the Win XP
> | clients begin to renew their certificate? I thought it was 6 week
> | prior to expiration.
> |
> | None of my Win XP clients are renewing their certificates. I run
> | gpupdate /force and made sure that the policy containing the
> | autoenroll executed.
> |
> | Only way so far was to manually go on the Win XP, via certificate mmc
> | and do the manual renew.
> |
> | Does autoenrollment work for renewing certificates?
> |
> | Brand new machines without certificates gets their certificates
> | automatically. It's only the old machines with older certificates
> | which did not expire yet are not renewing.
> |
> | Did anyone have the similar issue?
> |
> | Thanks
> |
> | Scott.
> |
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Hi Scott,

You can only change templates on Windows 2003 CA if you have _enterprise_
version of Windows 2003!

Mike

"Scott" <scottklee@msn.com> wrote in message
news:a2222fb.0408040709.4fc57fa@posting.google.com...
> Ken,
> Thanks for the explanation.
> The link that you sent pertains to Windows 2003 CA server. I only
> have Windows 2000 CA Server.
> In Windows 2000, how do I update the template version number?
>
> Thanks.
>
> Scott.
>
>
>
> Kenwood@online.microsoft.com (Kenny Wood) wrote in message
news:<KFL9AArcEHA.2064@cpmsftngxa06.phx.gbl>...
> > Hello Scott,
> >
> > The re-enrollment process, due to expiry, only pertains to the object
that owns the certificate. In
> > your case the CAs certificate was expiring, not the XP clients (as per
the details below),
> > therefore the clients have not hit the trigger for re-enrollment. Since
their certificate has not
> > expired, just a member in their issuing chain, they will not autoenroll.
> >
> > If you want to force them to re-enroll, update the template version:
> >
> >
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/certenrl.mspx#XSLTsection1
> > 29121120120
> >
> > Thank you for your post.
> >
> > Kenny Wood
> > CISSP, MCSE (+S, +M)
> > PSS Security
> > Microsoft Corporation
> > --
> >
> > This posting is provided "AS IS" with no warranties, and confers no
rights. Use of included
> > script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
> >
> > Note: For the benefit of the community-at-large, all responses to this
message are best
> > directed to the newsgroup/thread from which they originated.
> > --------------------
> > | From: scottklee@msn.com (Scott)
> > | Newsgroups: microsoft.public.win2000.security
> > | Subject: Windows XP computer certificate renewal from MS W2k
Enterprise CA
> > | Date: 18 Jul 2004 06:36:17 -0700
> > | Organization: http://groups.google.com
> > | Lines: 30
> > | Message-ID: <a2222fb.0407180536.1c01f214@posting.google.com>
> > | NNTP-Posting-Host: 192.208.34.36
> > | Content-Type: text/plain; charset=ISO-8859-1
> > | Content-Transfer-Encoding: 8bit
> > | X-Trace: posting.google.com 1090157797 25743 127.0.0.1 (18 Jul 2004
13:36:37 GMT)
> > | X-Complaints-To: groups-abuse@google.com
> > | NNTP-Posting-Date: Sun, 18 Jul 2004 13:36:37 +0000 (UTC)
> > | Path: cpmsftngxa06.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!
> >
newsfeed00.sul.t-online.de!t-online.de!news.glorb.com!postnews2.google.com!n
ot-for-mail
> > | Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.security:29707
> > | X-Tomcat-NG: microsoft.public.win2000.security
> > |
> > | Renewed issuing Enterprise CA's certificate because it will run out in
> > | 6 weeks.
> > | After updating the CA's certificate, I was expecting my domain member
> > | Windows XP to renew their certificate automatically because the Group
> > | Policy was created so that Win XP will autoenroll for their
> > | certificate. Win XP originally receive their certificate from the CA
> > | automatically via autoenrollment.
> > |
> > | If the certificate has been renewed on CA, when does the Win XP
> > | clients begin to renew their certificate? I thought it was 6 week
> > | prior to expiration.
> > |
> > | None of my Win XP clients are renewing their certificates. I run
> > | gpupdate /force and made sure that the policy containing the
> > | autoenroll executed.
> > |
> > | Only way so far was to manually go on the Win XP, via certificate mmc
> > | and do the manual renew.
> > |
> > | Does autoenrollment work for renewing certificates?
> > |
> > | Brand new machines without certificates gets their certificates
> > | automatically. It's only the old machines with older certificates
> > | which did not expire yet are not renewing.
> > |
> > | Did anyone have the similar issue?
> > |
> > | Thanks
> > |
> > | Scott.
> > |
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom