When do ad certificates get renewed

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

We have an enterprise CA issuing computer certificates to client computers
with a validity period of one year. When will the certificate get reissued
(i.e how long before the certifcate expires)

What happens if a vpn user doesn't connect for say a week while away from
the office - I assume their certificate will expire and then they will be
prevented from forming the l2tp-ipsec connection needed to connect to ad to
get the new certificate
Thanks
David

 

[teething]

Archived from groups: microsoft.public.win2000.security (More info?)

The cert will be good until the expiry date.

After a ticket expires, it is added to the CRL. Once added to the CRL,
when that ticket tries to authenticate (depending on your domain
policies) it can be autorenewed or you will have to have the client PC
request a new cert manually.

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

In article <OcHQeOe4EHA.824@TK2MSFTNGP11.phx.gbl>, in the
microsoft.public.win2000.security news group, David Beaven
<technet@ids.ac.uk> says...

> We have an enterprise CA issuing computer certificates to client computers
> with a validity period of one year. When will the certificate get reissued
> (i.e how long before the certifcate expires)

I'm assuming here that your CA is running on Windows Server 2003
Enterprise Edition and that you're referring to autoenrollment and
renewal. If so, then you'd need to look at the template that the
certificates are based upon. There is a Validity Period listed and a
Renewal Period. Clients will start attempting to renew the certificate
once they enter the renewal period.

>
> What happens if a vpn user doesn't connect for say a week while away from
> the office - I assume their certificate will expire and then they will be
> prevented from forming the l2tp-ipsec connection needed to connect to ad to
> get the new certificate

Correct. If the certificate has expired, they'll need some other method
to get a new one.


--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

In article <1103042964.187689.65590@f14g2000cwb.googlegroups.com>, in
the microsoft.public.win2000.security news group, Teething
<teething@gmail.com> says...

> The cert will be good until the expiry date.

Ture.

>
> After a ticket expires, it is added to the CRL.

Not true. A CRL is a Certificate Revocation List. A revoked certificate
is not the same thing as an expired certificate, and expired
certificates are not added to the CRL. As a matter of fact, the opposite
is true. When a revoked certificate expires, it is removed from the CRL
one CRL publication period after its expiration.




--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Paul
Thanks for that.
See 'certificate autoenrollment in windows server 2003". The default for
most templates is a renewal period of six 6 weeks before expiration which
should do fine!
David


"Paul Adare - MVP - Microsoft Virtual PC" <padare@newsguy.com> wrote in
message news:MPG.1c28f5d55ab5a195989b3d@msnews.microsoft.com...
> In article <OcHQeOe4EHA.824@TK2MSFTNGP11.phx.gbl>, in the
> microsoft.public.win2000.security news group, David Beaven
> <technet@ids.ac.uk> says...
>
> > We have an enterprise CA issuing computer certificates to client
computers
> > with a validity period of one year. When will the certificate get
reissued
> > (i.e how long before the certifcate expires)
>
> I'm assuming here that your CA is running on Windows Server 2003
> Enterprise Edition and that you're referring to autoenrollment and
> renewal. If so, then you'd need to look at the template that the
> certificates are based upon. There is a Validity Period listed and a
> Renewal Period. Clients will start attempting to renew the certificate
> once they enter the renewal period.
>
> >
> > What happens if a vpn user doesn't connect for say a week while away
from
> > the office - I assume their certificate will expire and then they will
be
> > prevented from forming the l2tp-ipsec connection needed to connect to ad
to
> > get the new certificate
>
> Correct. If the certificate has expired, they'll need some other method
> to get a new one.
>
>
> --
> Paul Adare
> "On two occasions, I have been asked [by members of Parliament],
> 'Pray, Mr. Babbage, if you put into the machine wrong figures,
> will the right answers come out?' I am not able to rightly apprehend
> the kind of confusion of ideas that could provoke such a question."
> -- Charles Babbage (1791-1871)