I have a setup with a Server 2008 R2 Enterprise CA and a sub-ordinate CA. A group policy is applied to laptops for auto-enrollment and to renew expired certificates. The laptops are enrolling properly. New templates were created and computer certs were manually installed on certain servers. They are not setup for auto-enrollment (no group policy) and I am concerned that when it comes time to renew their cert: 1. Will the servers renew automatically? 2. When will it actually renew the cert. If the cert expires in a week will it try to renew before then? 3. When will the laptops actually renew their certs when expired? Will they try renew before the deadline? The templates have an ACL of "Read" and "Enroll" for "domain computers" and according to this article http://technet.microsoft.com/en-us/library/cc753452.aspx "When subjects already hold a certificate, they need only Read and Enroll permissions to renew that certificate, whether they use autoenrollment or not."

1) no, you will have to manually renew them (rigth-click on it, All Tasks -> Renew ...) from Certificates MMC snap-in. Or you can write custom script for that. 2) Never, if autoenrollment or automatic certificate request (for V1 computer templates only) is not configured. 3) they will attempt to renew after 80% of certificate lifetime. Exact value is set in certificate template General tab (see renewal section). mentioned article assumes manual enrollment or automatic certificate request policy. For autoenrollment Autoenroll permission is required.http://en-us.sysadmins.lv PowerShell PKI module: http://pspki.codeplex.com/

Hi, Thanks for the response. Let me see if I have this, If a server already has a certificate and I configure a GPO for auto-enrollment and target the server with the GPO, plus I assign the permissions on the template for read and enroll for the server group, I should be set and servers will renew their cert when the time comes. I found this useful article for anyone that is interested http://technet.microsoft.com/en-us/library/cc787781%28WS.10%29.aspx

You are correct. If you have autoenrollment GPO turned on [I can't remember which checkbox in the GPO UI controls this setting] then certs will get renewed even if the template does not have the "AutoEnroll" permission for that user/machine. The time where renewals begin is 80% of lifetime of the cert OR the renewal period in the template; whichever comes sooner. Andrew

.

thanks