0
Hi everybody and thank you in advance for your support. On my business domain we have a lot of certificates expired (like the RDS Authentication Certificates) under Certificate Authority.
We spent a lot of time looking for a method for renew these certificates but we don’t get the point.
There is someone that Could explain me how to renew or issue again these certificates?
Thank you for your support
Joe
Posted 2019-05-28T17:27:47.860
Reputation: 1
0
Basically, the machine or user has to request the renewal from the CA server. I think that some of your renewals could be handled by certificate auto-enroll policy. The policy forces domain machines to request the new certificate from the CA and there are several steps required to enable this.
This Microsoft document details in short form the server-side and client-side steps.
Daniel K
Posted 2019-05-28T17:27:47.860
Reputation: 805
Daniel I have a doubt. I have to follow both section or just the first One? – Joe – 2019-05-28T18:43:47.720
The first section is to make machines apply for a machine certificate and the second section is to make users apply for a user certificate. You may need only one or both depending on what certificates you issue. – Daniel K – 2019-05-28T19:32:01.617
Hi Daniel, I follow the document you linked and I checked that server certificate auto-enrollment was alredy active. So why I have all the certificates expired? – Joe – 2019-05-29T06:26:13.600
Hi Daniel, in the AD CS Server Management I found this error: Problem: This certification authority (CA) was installed as an enterprise CA, but Group Policy settings for user autoenrollment have not been enabled. Impact: An enterprise CA can use autoenrollment to simplify certificate issuance and renewal. If autoenrollment is not enabled, certificate issuance and renewal may not occur as expected. – Joe – 2019-05-29T06:36:51.207
Resolution: If user autoenrollment is desired, use the Group Policy Management Console to configure user autoenrollment policy settings, and use the Certificate Templates snap-in to configure autoenrollment settings on the certificate templates. – Joe – 2019-05-29T06:36:57.267
There is something blocking the normal operation of auto-enrollment, but there is no information here to allow people to help you. Try following trouble-shooting articles and then posting specific problems you are having along with appropriate logs etc.. – Daniel K – 2019-05-29T07:07:06.020
Daniel could you suggest me a trouble-shooting path? – Joe – 2019-05-29T07:11:15.883
Joe, I think a lot more detail would be helpful. This is a complex area affecting potentially several machines. – Daniel K – 2019-05-28T17:39:28.337
Hi Daniel, what kind of details do you think will be helpfull? At the Moment i’m searching for a procedure to follow for solve this problem – Joe – 2019-05-28T17:48:37.643
Give an example with more info about the certificate that has expired? When was it issued? To which computer? All info about one issuance would be useful. Note that normally there is no automatic process to issue renewals. – Daniel K – 2019-05-28T17:54:13.150
For example there are a lot of Client Server Certificates or RDS authentication certificates that are expired almost an year ago. I’m trying to understand how to do for renew them. – Joe – 2019-05-28T17:56:42.587
When was it issued? To which computer? – Daniel K – 2019-05-28T18:02:52.833
They were issued on September 2016 form the CA server to all clients joined to the domain – Joe – 2019-05-28T18:04:57.563
On the server, is the Remote Desktop Configuration service enabled? If yes, restart it. Question: Why do you need to renew expired certificates if everything is working fine, rather than deleting them? (Add to your comment
@harrymcfor me to be notified.) – harrymc – 2019-05-28T19:25:07.380