Renew certificate with win server PKI

Salam ELIAS 112 Reputation points

Hi, we intend to use win PKI that issues certificates to our servers for a period of time of 2 years. Is it possible or is there any config or process inside win PKI that allows automatically renew certificates after getting created manually, somthing similar to let's encrypt? If not, can win PKI send alerts, lets say 1 or 2 weeks before expiring to admin so he can trigger somthing to renew the certificate but not manually?

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,416 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. JimmySalian-2011 41,961 Reputation points

    Hi @Salam ELIAS ,

    For setting up the Server Template you can follow and configure the settings as per this article certificate-autoenrollment-in-windows-server-2016-part-2.aspx, validity can be set as per your requirement.

    However as per the requirement, t he autoenrollment process is normally triggered by the Winlogon process, and is designed to be activated and managed by a domain-based Group Policy. Both machine-based and user-based Group Policy can activate autoenrollment for machines and users.

    By default, the Group Policy is applied at reboot for machines, or at logon for users, and is refreshed every eight hours. The refresh interval can be configured using Group Policy. Autoenrollment is also triggered by an internal timer that activates every eight hours after the last time autoenrollment was activated.

    For alerts you will have to use SCOM or Solaarwinds to alert for renewal process for notifications to the administrator.

    Hope this helps.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

  2. Salam ELIAS 112 Reputation points

    So many thanks, I will go through the article and come back if I have any question

  3. Limitless Technology 44,051 Reputation points

    Hi. Thank you for your question and reaching out. My name is John and I’d be more than happy to help you with your query.

    The Microsoft Management Console (MMC) certifications snap-in is available (computer store). Right-click the certificate that is about to expire and select "All Tasks -> Renew certificate with new key."

    You must make sure that the computer management MMC's "enroll" permissions are set up for the Active Directory computer object of the server from which you are trying to renew the certificate in the Windows Server CA template that corresponds to your certificate (typically the Computer template or the Web Server template).

    -By going to the CA computer and performing the certsrv.msc command, you can configure the authorization by launching the Windows CA administration console.
    -Expand the "Certificate Templates" node, then select "Manage" from the context menu when you right-click it.
    -Right-click the relevant certificate template and select "Properties." Add the AD machine object from which you are attempting to renew the certificate to the "Security" tab and grant it "Enroll" access.

    After the certificate has been renewed, you can undo the changes, i.e. delete the rights on the AD computer object.

    And you must set up a certificate auto-enrollment policy through Active Directory GPO in order to enable automatic certificate renewal. Detailed instructions on how to construct the GPO for certificate auto-enrollment can be found at:

    For more information, please see


    If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.

    0 comments No comments

  4. Salam ELIAS 112 Reputation points

    So many thanks @Limitless Technology , I will go through the docs. I am well versed with manual certificate creation/renewal with Windows PKI. As I said, We are interested in the automation of the process End-To-End. What I mean, allow somebody triggers a request demand, validate then install the certificate. Once installed, then renewal should take place automatically without any human intervention. This is somthing we are experiencing with lets encrypt for Draytek router routers, where we installed the certificate in a UI interface, checkes"{renew automatically) and everything works fine only 3 weeks prioe to renewal admins receives an alert that Certificate will be renewed
    Bu the way, is there a possibility or a powershell script that lists all certificates granted to servers/web on the CA server?

    0 comments No comments