Certificate won't auto renew!!!

Chau Le 96 Reputation points
2022-10-05T22:21:39.837+00:00

I've been at this for so long please help. I have a certificate that will not auto renew!

Here's the configuration

GPO is in place to auto renew certificate
Create a certificate template with following settings: Compatibility for server/client Windows 2012R2, Subject name - SUPPLY in the REQUEST + "Check" Use subject information from existing certificate for autoenrollment renewal request" - EKU - Client/Server auth

Security tab - Test computer account name - with read/write/autoenroll CHECK , test user account with read/write/autoenroll CHECK

From the client I made an MMC with cert snap in...Request cert... saw the template... filled out the template with common name, and SAN ..click next and finished! Cert issued.

I set the certificate to expire in 1 hour and it will not auto renew! I have no idea why I thought I found the issue with the "Use subject information from existing certificate...etc" Checked...but that didn't help! .... HELP

Nothing in event log... where can I found out WHY a cert won't auto renew after I met all the requirements????

Thanks

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,748 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 39,436 Reputation points
    2022-10-07T14:36:26.167+00:00

    Hello there,

    Is this the first time you are deploying this GPO to your environment or have you tested it before?

    If you look at the certificate template, you'll see a setting named Renewal Period. When the certificate enters that period (subtract the Renewal Period value from the expiry date of the certificate to determine when that period begins) clients will begin requesting renewals.

    You need to properly set up the certificate for autoenrollment and the GPO
    See https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc759371(v=ws.10)?redirectedfrom=MSDN for details

    In the PKI environment, it is not supported to renew the root ca certificates automatically. https://social.technet.microsoft.com/Forums/lync/en-US/196a6229-c118-49e7-b073-df79e71ce5b1/auto-renew-an-enterprise-ca-root-certificate?forum=winserversecurity

    If you mean the certificates issued by CA for the clients and users, yes,it can be set not to renew automatically. The certificates by the ca issued will not auto-enroll by default if the requirements didn't been met:
    auto-enroll group policy
    auto-enroll permission for the templates
    https://learn.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment

    ---------------------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer–