Issue with certificate renewal via autoenrollment

Shaan 41 Reputation points
2021-09-23T08:38:14.557+00:00

Hi All,

We have configured Autoenrollment of certificates via GPO to issue the email encryption certificates. But recently we have started observing the issues with renewal of the certificate. When the previously issued certificate is in renewal window we are seeing the certificate getting renewed in CA, but it's not installing on the user machine. Hence, we have to recover the new certificate from CA db and hand over to the users. Since the old certificate reaches renewal window, as part of Microsoft default behavior the old certificate is marked as "archived" and users are not able to send new encrypted email until we provide the PFX file manually.

Could you please help me to identify why the renewed certificate is not installing on the user machines automatically?

Thanks,
Shaan

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,715 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,049 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,712 questions
0 comments
Accepted answer
  1. cthivierge 4,051 Reputation points
    2021-09-23T09:35:14.387+00:00

    Look in the Applications and Services Logs / Microsoft / Windows / CertificateServicesClient-Licecycle-User on the client computer. You may have more informations

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 39,331 Reputation points
    2021-09-23T10:51:08.257+00:00

    Hello @Shaan ,

    Before you perform this procedure, you must configure a server certificate template by using the Certificate Templates Microsoft Management Console snap-in on a CA that is running AD CS.

    Membership in both the Enterprise Admins and the root domain's Domain Admins group is the minimum required to complete this procedure.

    Please do check the CertificateServicesClient-Licecycle-User under Service logs for more information and a better understanding

    Do have a look at the below link for ideas about Configuring certificate auto-enrollment

    https://learn.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment

    ---------------------------------------------------------------------------------------------------------

    Hope this answers all your queries, if not please do repost back.
    If an Answer is helpful, please click "Accept Answer" and upvote it : )

    0 comments