Certificare renewal - Template autoenroll permission.

stefan Minehan 41 Reputation points
2021-08-18T14:16:02.057+00:00

Hi Folks,

This seems like a simple question but i can't seem to find a concrete answer.

With regards to a certificate template with the 'Autoenroll' permission (With Server authentication OID for arguments sake intended for computer objects)

If a valid certificate exists on a server which was built from this template, will it auto-renew with no extra GPO settings in place, or just expire?

Would it then try and enrol another certificate after the expiry date? or would the expired certificate just sit there?

Cheers

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,081 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,717 questions
0 comments
Accepted answer
  1. cthivierge 4,051 Reputation points
    2021-08-18T19:13:03.413+00:00

    Yes, for Autoenrollment to be enabled, you need to have several things configured.

    1. A Certificate template with "Server Authentication"
    2. Configure security and enable AutoEnroll for the required computer account (or Domain Computers)
    3. Configure Group Policy and enable the following parameters:
      In Group Policy Management
      124339-cert01.png

    And enable the following settings

    124394-cert02.png

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. cthivierge 4,051 Reputation points
    2021-08-18T18:19:05.287+00:00

    Theorically, the certificate template should have "renewal period" so only when the certificate is within the renewal period, the computer will try to request a new one.

    If your computer has already another certificate that has been requested automatically (using autoenrollment), it should not try to request a new one except within the renewal period.

    When the certificate is renewed, the old one should be removed automatically from the personal store of the server.

    If you have done a manual request of the certificate template (the certificate that has Autoenrollment enabled), the server will not request another certificate from the same template and if i remember, the auto renew should work

    hth

    1 person found this answer helpful.