Autoenrollment and Certificate Renewal
This may be a completely stupid question and expose a large hole in my understanding of ADCS...though to be fair there are probably so many holes, it resembles a Swiss cheese, but...
When renewing a client certificate through manual means, it seems possible to renew either with the same key pair or a new key pair. When a client certificate is renewed through auto-enrollment, is it always renewed with a new key pair, as I can't find anything
in the certificate templates UI that suggests how this could be controlled?
Steve G
September 10th, 2010 7:24pm
this is internal logic so I'm not sure if you can control this behavior.http://en-us.sysadmins.lv
Free Windows Admin Tool Kit Click here and download it now
September 10th, 2010 8:34pm
Does the internal logic mean that either condition could be true, i.e. it decides whether the certificate is renewed with the same key pair or a different key pair?
Steve G
September 10th, 2010 8:51pm
Steve,
We've been using EFS in my organization for several years now. Our EFS certs roll over once a year, and I have yet to get a trouble ticket from someone who can't access their encrypted files. It may be that Windows is smart enough to touch all
encrypted files when the cert renews via Autoenrollment, but I sincerely doubt it.
The behavior may be different depending upon the application policies, though. This is a great question; definitely worth researching.
Free Windows Admin Tool Kit Click here and download it now
September 10th, 2010 9:56pm
> Does the internal logic mean that either condition could be true, i.e. it decides whether the certificate is renewed with the same key pair or a different key pair?
the logic is that autoenrollment client always uses new key pair unless this is snart card and there is a setting (in the template) that allows to use existing key pair if smart card is out of space.
> Our EFS certs roll over once a year, and I have yet to get a trouble ticket from someone who can't access their encrypted files
this is because EFS private keys are not removed from the computer. The system archives them for decryption purposes only. Therefore once the certificate is renewed, new certificate is used for both encryption and decryption (files that are encrypted with
the current key). Old certificates used to decrypt files encrypted by a certificate public key. Therefore autoentollment don't affect to EFS.http://en-us.sysadmins.lv
September 11th, 2010 6:40pm