computer certificate expired

Janus Bariñan 1,126 Reputation points
2020-12-08T03:19:23.857+00:00

Do computer machines (both desktops and servers) in a windows environment need a computer certificate?
I just noticed a computer having an expired machine certificate and it did not renew. Just want to ask what would happen if its not renewed.

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,833 questions
0 comments No comments
{count} votes

Accepted answer
  1. Hannah Xiong 6,276 Reputation points
    2020-12-14T03:17:21.857+00:00

    Hello,

    Thank you so much for your kindly reply.

    So sorry that we are not professional with Radius server. According to my research, the server must host a certificate from a Certificate Authority (CA) trusted by clients on the network. So as we also mentioned, the radius server needs the certificate.

    Here we would like to share with you the below documents. Hope it could be some helpful to you.

    Plan NPS as a RADIUS server
    https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-plan-server

    Network Policy Server Best Practices
    https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-best-practices

    Deploy Server Certificates for 802.1X Wired and Wireless Deployments
    https://learn.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/deploy-server-certificates-for-802.1x-wired-and-wireless-deployments

    For any question, please feel free to contact us.

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Hannah Xiong 6,276 Reputation points
    2020-12-08T09:28:49.6+00:00

    Hello,

    Thank you so much for posting here.

    Are our computer machines joined to the domain? Whether needs a computer certificate depends on our requirement.

    If the computer certificate has expired, we could request a new certificate. Or have we configured computer certificate auto-enrollment?

    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj129705(v=ws.11)

    For any question, please feel free to contact us.

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  2. Hannah Xiong 6,276 Reputation points
    2020-12-10T01:56:48.387+00:00

    Hello,

    Thank you so much for your kindly reply.

    "They are typically used for 802.1x WLAN or wired authentication, or they might be used for VPN logon. Then you might used them for IPsec / "domain isolation" or perhaps DirectAccess or related solutions by other vendors.

    So they are needed for some sort of "network isolation" but they are not required for default AD operations. With some the mentioned scenarios (e.g. 802.1x / IPsec) you have the choice to pick either certificates or other credentials."

    Reference: https://social.technet.microsoft.com/Forums/Sharepoint/en-US/42b9fa66-57c7-4f58-80d1-c10b31c71282/what-do-i-need-the-computer-certificate-for-in-an-active-directory-domain-theoretical-inquiry?forum=winserversecurity

    If the computer certificate expired, then it will not be used in the above mentioned scenarios. So to avoid any authentication issue, we need to renew the certificate before expiring. Or if it has expired, we need to request a new certificate.

    To configure the Group policy for the autoenrollment, we do not need to manually request for new certificate on our domain controllers. Besides, it will automatically renew expired certificate. We could choose to do this.

    For any question, please feel free to contact us.

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.