When do ad certificates get renewed

Archived from groups: microsoft.public.win2000.security (More info?)

We have an enterprise CA issuing computer certificates to client computers
with a validity period of one year. When will the certificate get reissued
(i.e how long before the certifcate expires)

What happens if a vpn user doesn't connect for say a week while away from
the office - I assume their certificate will expire and then they will be
prevented from forming the l2tp-ipsec connection needed to connect to ad to
get the new certificate
Thanks
David
4 answers Last reply
More about when certificates renewed
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    The cert will be good until the expiry date.

    After a ticket expires, it is added to the CRL. Once added to the CRL,
    when that ticket tries to authenticate (depending on your domain
    policies) it can be autorenewed or you will have to have the client PC
    request a new cert manually.
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    In article <OcHQeOe4EHA.824@TK2MSFTNGP11.phx.gbl>, in the
    microsoft.public.win2000.security news group, David Beaven
    <technet@ids.ac.uk> says...

    > We have an enterprise CA issuing computer certificates to client computers
    > with a validity period of one year. When will the certificate get reissued
    > (i.e how long before the certifcate expires)

    I'm assuming here that your CA is running on Windows Server 2003
    Enterprise Edition and that you're referring to autoenrollment and
    renewal. If so, then you'd need to look at the template that the
    certificates are based upon. There is a Validity Period listed and a
    Renewal Period. Clients will start attempting to renew the certificate
    once they enter the renewal period.

    >
    > What happens if a vpn user doesn't connect for say a week while away from
    > the office - I assume their certificate will expire and then they will be
    > prevented from forming the l2tp-ipsec connection needed to connect to ad to
    > get the new certificate

    Correct. If the certificate has expired, they'll need some other method
    to get a new one.


    --
    Paul Adare
    "On two occasions, I have been asked [by members of Parliament],
    'Pray, Mr. Babbage, if you put into the machine wrong figures,
    will the right answers come out?' I am not able to rightly apprehend
    the kind of confusion of ideas that could provoke such a question."
    -- Charles Babbage (1791-1871)
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    In article <1103042964.187689.65590@f14g2000cwb.googlegroups.com>, in
    the microsoft.public.win2000.security news group, Teething
    <teething@gmail.com> says...

    > The cert will be good until the expiry date.

    Ture.

    >
    > After a ticket expires, it is added to the CRL.

    Not true. A CRL is a Certificate Revocation List. A revoked certificate
    is not the same thing as an expired certificate, and expired
    certificates are not added to the CRL. As a matter of fact, the opposite
    is true. When a revoked certificate expires, it is removed from the CRL
    one CRL publication period after its expiration.


    --
    Paul Adare
    "On two occasions, I have been asked [by members of Parliament],
    'Pray, Mr. Babbage, if you put into the machine wrong figures,
    will the right answers come out?' I am not able to rightly apprehend
    the kind of confusion of ideas that could provoke such a question."
    -- Charles Babbage (1791-1871)
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    Paul
    Thanks for that.
    See 'certificate autoenrollment in windows server 2003". The default for
    most templates is a renewal period of six 6 weeks before expiration which
    should do fine!
    David


    "Paul Adare - MVP - Microsoft Virtual PC" <padare@newsguy.com> wrote in
    message news:MPG.1c28f5d55ab5a195989b3d@msnews.microsoft.com...
    > In article <OcHQeOe4EHA.824@TK2MSFTNGP11.phx.gbl>, in the
    > microsoft.public.win2000.security news group, David Beaven
    > <technet@ids.ac.uk> says...
    >
    > > We have an enterprise CA issuing computer certificates to client
    computers
    > > with a validity period of one year. When will the certificate get
    reissued
    > > (i.e how long before the certifcate expires)
    >
    > I'm assuming here that your CA is running on Windows Server 2003
    > Enterprise Edition and that you're referring to autoenrollment and
    > renewal. If so, then you'd need to look at the template that the
    > certificates are based upon. There is a Validity Period listed and a
    > Renewal Period. Clients will start attempting to renew the certificate
    > once they enter the renewal period.
    >
    > >
    > > What happens if a vpn user doesn't connect for say a week while away
    from
    > > the office - I assume their certificate will expire and then they will
    be
    > > prevented from forming the l2tp-ipsec connection needed to connect to ad
    to
    > > get the new certificate
    >
    > Correct. If the certificate has expired, they'll need some other method
    > to get a new one.
    >
    >
    > --
    > Paul Adare
    > "On two occasions, I have been asked [by members of Parliament],
    > 'Pray, Mr. Babbage, if you put into the machine wrong figures,
    > will the right answers come out?' I am not able to rightly apprehend
    > the kind of confusion of ideas that could provoke such a question."
    > -- Charles Babbage (1791-1871)
Ask a new question

Read More

Connection Certificate Windows