Certificate Renewal

Applies To: Windows Server 2003 with SP1

This section discusses renewal intervals, forced re-enrollment, and smart card renewal.

Renewal Intervals

Windows XP Professional or Windows Server 2003 clients, when combined with a Windows Server 2003, Enterprise Edition certification authority, will perform automatic renewal of certificates as specified on a per-template basis. Renewal intervals are dictated by the certificate template, which is set to six weeks (before expiration) by default. When certificate renewal is performed, the old (previous) certificate enrollment is always archived automatically on the client machine, and the user directory object is updated.

Important certificate renewal criteria include the following:

  • Automatic certificate renewal will only occur when 80 percent of the certificate lifetime has passed, or when the renewal interval period specified on the template has been reachedwhichever timeframe is smaller.

  • If the renewal period is greater than 20 percent of the certificate lifetime, autoenrollment will not automatically attempt certificate renewal until the 80 percent threshold has been reached.

Forcing Re-Enrollment

An administrator may force all users to re-enroll for a given template by updating the major version number of the template. When Active Directory is queried during logon for required certificate templates, the version number is examined. If the version number has incremented, the certificate template is considered to be updated and the user must re-enroll for that template.

To manually force the template version to be updated (thereby forcing re-enrollment)

  • Right-click the template and select Reenroll All Certificate Holders (Figure 14).

    Note

    Templates are not updated automatically. By default, templates are updated at a minimum interval of 10 minutes.

    Art ImageFigure 14: Manually Forcing Certificate Re-Enrollment

Smart Card Renewal

The renewal behavior of a smart card may vary depending on the type of smart card CSP being used and the state of the card at the time of renewal. In general, if the smart card being used has available space for an additional enrollment and the CSP supports multiple keys on a single card, autoenrollment will request the card to generate a new key for enrollment. If this succeeds, the certificate is written to the card and the container is marked as default. The default container is the only container that the Winlogon process will enumerate for a smart card logon certificate and key. If the smart card or CSP cannot generate a new key on the card, the existing key will be reused and a new certificate will be forced onto the card. This action will generate an event in the machines application event log.

Note

Autoenrollment will always use a newly generated key for all enrollment and renewal requests. The only exception to this rule is in the case of some smart card CSPs that cannot support a new key due to storage limitations on the smart card. If a key is reused, an event will be entered in the Client application log.

Revoked Certificates and Renewal

Revoked certificates may not be renewed and may not be used to sign a renewal request. This scenario is explicitly blocked by autoenrollment. In this scenario, a user must perform a new manual enrollment request instead of renewal.