Windows XP computer certificate renewal from MS W2k Enterp..

Archived from groups: microsoft.public.win2000.security (More info?)

Renewed issuing Enterprise CA's certificate because it will run out in
6 weeks.
After updating the CA's certificate, I was expecting my domain member
Windows XP to renew their certificate automatically because the Group
Policy was created so that Win XP will autoenroll for their
certificate. Win XP originally receive their certificate from the CA
automatically via autoenrollment.

If the certificate has been renewed on CA, when does the Win XP
clients begin to renew their certificate? I thought it was 6 week
prior to expiration.

None of my Win XP clients are renewing their certificates. I run
gpupdate /force and made sure that the policy containing the
autoenroll executed.

Only way so far was to manually go on the Win XP, via certificate mmc
and do the manual renew.

Does autoenrollment work for renewing certificates?

Brand new machines without certificates gets their certificates
automatically. It's only the old machines with older certificates
which did not expire yet are not renewing.

Did anyone have the similar issue?

Thanks

Scott.
3 answers Last reply
More about windows computer certificate renewal enterp
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Hello Scott,

    The re-enrollment process, due to expiry, only pertains to the object that owns the certificate. In
    your case the CAs certificate was expiring, not the XP clients (as per the details below),
    therefore the clients have not hit the trigger for re-enrollment. Since their certificate has not
    expired, just a member in their issuing chain, they will not autoenroll.

    If you want to force them to re-enroll, update the template version:

    http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/certenrl.mspx#XSLTsection1
    29121120120

    Thank you for your post.

    Kenny Wood
    CISSP, MCSE (+S, +M)
    PSS Security
    Microsoft Corporation
    --

    This posting is provided "AS IS" with no warranties, and confers no rights. Use of included
    script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm

    Note: For the benefit of the community-at-large, all responses to this message are best
    directed to the newsgroup/thread from which they originated.
    --------------------
    | From: scottklee@msn.com (Scott)
    | Newsgroups: microsoft.public.win2000.security
    | Subject: Windows XP computer certificate renewal from MS W2k Enterprise CA
    | Date: 18 Jul 2004 06:36:17 -0700
    | Organization: http://groups.google.com
    | Lines: 30
    | Message-ID: <a2222fb.0407180536.1c01f214@posting.google.com>
    | NNTP-Posting-Host: 192.208.34.36
    | Content-Type: text/plain; charset=ISO-8859-1
    | Content-Transfer-Encoding: 8bit
    | X-Trace: posting.google.com 1090157797 25743 127.0.0.1 (18 Jul 2004 13:36:37 GMT)
    | X-Complaints-To: groups-abuse@google.com
    | NNTP-Posting-Date: Sun, 18 Jul 2004 13:36:37 +0000 (UTC)
    | Path: cpmsftngxa06.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!
    newsfeed00.sul.t-online.de!t-online.de!news.glorb.com!postnews2.google.com!not-for-mail
    | Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.security:29707
    | X-Tomcat-NG: microsoft.public.win2000.security
    |
    | Renewed issuing Enterprise CA's certificate because it will run out in
    | 6 weeks.
    | After updating the CA's certificate, I was expecting my domain member
    | Windows XP to renew their certificate automatically because the Group
    | Policy was created so that Win XP will autoenroll for their
    | certificate. Win XP originally receive their certificate from the CA
    | automatically via autoenrollment.
    |
    | If the certificate has been renewed on CA, when does the Win XP
    | clients begin to renew their certificate? I thought it was 6 week
    | prior to expiration.
    |
    | None of my Win XP clients are renewing their certificates. I run
    | gpupdate /force and made sure that the policy containing the
    | autoenroll executed.
    |
    | Only way so far was to manually go on the Win XP, via certificate mmc
    | and do the manual renew.
    |
    | Does autoenrollment work for renewing certificates?
    |
    | Brand new machines without certificates gets their certificates
    | automatically. It's only the old machines with older certificates
    | which did not expire yet are not renewing.
    |
    | Did anyone have the similar issue?
    |
    | Thanks
    |
    | Scott.
    |
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Ken,
    Thanks for the explanation.
    The link that you sent pertains to Windows 2003 CA server. I only
    have Windows 2000 CA Server.
    In Windows 2000, how do I update the template version number?

    Thanks.

    Scott.


    Kenwood@online.microsoft.com (Kenny Wood) wrote in message news:<KFL9AArcEHA.2064@cpmsftngxa06.phx.gbl>...
    > Hello Scott,
    >
    > The re-enrollment process, due to expiry, only pertains to the object that owns the certificate. In
    > your case the CAs certificate was expiring, not the XP clients (as per the details below),
    > therefore the clients have not hit the trigger for re-enrollment. Since their certificate has not
    > expired, just a member in their issuing chain, they will not autoenroll.
    >
    > If you want to force them to re-enroll, update the template version:
    >
    > http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/certenrl.mspx#XSLTsection1
    > 29121120120
    >
    > Thank you for your post.
    >
    > Kenny Wood
    > CISSP, MCSE (+S, +M)
    > PSS Security
    > Microsoft Corporation
    > --
    >
    > This posting is provided "AS IS" with no warranties, and confers no rights. Use of included
    > script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm
    >
    > Note: For the benefit of the community-at-large, all responses to this message are best
    > directed to the newsgroup/thread from which they originated.
    > --------------------
    > | From: scottklee@msn.com (Scott)
    > | Newsgroups: microsoft.public.win2000.security
    > | Subject: Windows XP computer certificate renewal from MS W2k Enterprise CA
    > | Date: 18 Jul 2004 06:36:17 -0700
    > | Organization: http://groups.google.com
    > | Lines: 30
    > | Message-ID: <a2222fb.0407180536.1c01f214@posting.google.com>
    > | NNTP-Posting-Host: 192.208.34.36
    > | Content-Type: text/plain; charset=ISO-8859-1
    > | Content-Transfer-Encoding: 8bit
    > | X-Trace: posting.google.com 1090157797 25743 127.0.0.1 (18 Jul 2004 13:36:37 GMT)
    > | X-Complaints-To: groups-abuse@google.com
    > | NNTP-Posting-Date: Sun, 18 Jul 2004 13:36:37 +0000 (UTC)
    > | Path: cpmsftngxa06.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!
    > newsfeed00.sul.t-online.de!t-online.de!news.glorb.com!postnews2.google.com!not-for-mail
    > | Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.security:29707
    > | X-Tomcat-NG: microsoft.public.win2000.security
    > |
    > | Renewed issuing Enterprise CA's certificate because it will run out in
    > | 6 weeks.
    > | After updating the CA's certificate, I was expecting my domain member
    > | Windows XP to renew their certificate automatically because the Group
    > | Policy was created so that Win XP will autoenroll for their
    > | certificate. Win XP originally receive their certificate from the CA
    > | automatically via autoenrollment.
    > |
    > | If the certificate has been renewed on CA, when does the Win XP
    > | clients begin to renew their certificate? I thought it was 6 week
    > | prior to expiration.
    > |
    > | None of my Win XP clients are renewing their certificates. I run
    > | gpupdate /force and made sure that the policy containing the
    > | autoenroll executed.
    > |
    > | Only way so far was to manually go on the Win XP, via certificate mmc
    > | and do the manual renew.
    > |
    > | Does autoenrollment work for renewing certificates?
    > |
    > | Brand new machines without certificates gets their certificates
    > | automatically. It's only the old machines with older certificates
    > | which did not expire yet are not renewing.
    > |
    > | Did anyone have the similar issue?
    > |
    > | Thanks
    > |
    > | Scott.
    > |
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi Scott,

    You can only change templates on Windows 2003 CA if you have _enterprise_
    version of Windows 2003!

    Mike

    "Scott" <scottklee@msn.com> wrote in message
    news:a2222fb.0408040709.4fc57fa@posting.google.com...
    > Ken,
    > Thanks for the explanation.
    > The link that you sent pertains to Windows 2003 CA server. I only
    > have Windows 2000 CA Server.
    > In Windows 2000, how do I update the template version number?
    >
    > Thanks.
    >
    > Scott.
    >
    >
    >
    > Kenwood@online.microsoft.com (Kenny Wood) wrote in message
    news:<KFL9AArcEHA.2064@cpmsftngxa06.phx.gbl>...
    > > Hello Scott,
    > >
    > > The re-enrollment process, due to expiry, only pertains to the object
    that owns the certificate. In
    > > your case the CAs certificate was expiring, not the XP clients (as per
    the details below),
    > > therefore the clients have not hit the trigger for re-enrollment. Since
    their certificate has not
    > > expired, just a member in their issuing chain, they will not autoenroll.
    > >
    > > If you want to force them to re-enroll, update the template version:
    > >
    > >
    http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/certenrl.mspx#XSLTsection1
    > > 29121120120
    > >
    > > Thank you for your post.
    > >
    > > Kenny Wood
    > > CISSP, MCSE (+S, +M)
    > > PSS Security
    > > Microsoft Corporation
    > > --
    > >
    > > This posting is provided "AS IS" with no warranties, and confers no
    rights. Use of included
    > > script samples are subject to the terms specified at
    http://www.microsoft.com/info/cpyright.htm
    > >
    > > Note: For the benefit of the community-at-large, all responses to this
    message are best
    > > directed to the newsgroup/thread from which they originated.
    > > --------------------
    > > | From: scottklee@msn.com (Scott)
    > > | Newsgroups: microsoft.public.win2000.security
    > > | Subject: Windows XP computer certificate renewal from MS W2k
    Enterprise CA
    > > | Date: 18 Jul 2004 06:36:17 -0700
    > > | Organization: http://groups.google.com
    > > | Lines: 30
    > > | Message-ID: <a2222fb.0407180536.1c01f214@posting.google.com>
    > > | NNTP-Posting-Host: 192.208.34.36
    > > | Content-Type: text/plain; charset=ISO-8859-1
    > > | Content-Transfer-Encoding: 8bit
    > > | X-Trace: posting.google.com 1090157797 25743 127.0.0.1 (18 Jul 2004
    13:36:37 GMT)
    > > | X-Complaints-To: groups-abuse@google.com
    > > | NNTP-Posting-Date: Sun, 18 Jul 2004 13:36:37 +0000 (UTC)
    > > | Path: cpmsftngxa06.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!
    > >
    newsfeed00.sul.t-online.de!t-online.de!news.glorb.com!postnews2.google.com!n
    ot-for-mail
    > > | Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.security:29707
    > > | X-Tomcat-NG: microsoft.public.win2000.security
    > > |
    > > | Renewed issuing Enterprise CA's certificate because it will run out in
    > > | 6 weeks.
    > > | After updating the CA's certificate, I was expecting my domain member
    > > | Windows XP to renew their certificate automatically because the Group
    > > | Policy was created so that Win XP will autoenroll for their
    > > | certificate. Win XP originally receive their certificate from the CA
    > > | automatically via autoenrollment.
    > > |
    > > | If the certificate has been renewed on CA, when does the Win XP
    > > | clients begin to renew their certificate? I thought it was 6 week
    > > | prior to expiration.
    > > |
    > > | None of my Win XP clients are renewing their certificates. I run
    > > | gpupdate /force and made sure that the policy containing the
    > > | autoenroll executed.
    > > |
    > > | Only way so far was to manually go on the Win XP, via certificate mmc
    > > | and do the manual renew.
    > > |
    > > | Does autoenrollment work for renewing certificates?
    > > |
    > > | Brand new machines without certificates gets their certificates
    > > | automatically. It's only the old machines with older certificates
    > > | which did not expire yet are not renewing.
    > > |
    > > | Did anyone have the similar issue?
    > > |
    > > | Thanks
    > > |
    > > | Scott.
    > > |
Ask a new question

Read More

Certificate Windows XP Windows