This may be a completely stupid question and expose a large hole in my understanding of ADCS...though to be fair there are probably so many holes, it resembles a Swiss cheese, but... When renewing a client certificate through manual means, it seems possible to renew either with the same key pair or a new key pair. When a client certificate is renewed through auto-enrollment, is it always renewed with a new key pair, as I can't find anything in the certificate templates UI that suggests how this could be controlled? Steve G

this is internal logic so I'm not sure if you can control this behavior.http://en-us.sysadmins.lv

Does the internal logic mean that either condition could be true, i.e. it decides whether the certificate is renewed with the same key pair or a different key pair? Steve G

Steve, We've been using EFS in my organization for several years now. Our EFS certs roll over once a year, and I have yet to get a trouble ticket from someone who can't access their encrypted files. It may be that Windows is smart enough to touch all encrypted files when the cert renews via Autoenrollment, but I sincerely doubt it. The behavior may be different depending upon the application policies, though. This is a great question; definitely worth researching.

> Does the internal logic mean that either condition could be true, i.e. it decides whether the certificate is renewed with the same key pair or a different key pair? the logic is that autoenrollment client always uses new key pair unless this is snart card and there is a setting (in the template) that allows to use existing key pair if smart card is out of space. > Our EFS certs roll over once a year, and I have yet to get a trouble ticket from someone who can't access their encrypted files this is because EFS private keys are not removed from the computer. The system archives them for decryption purposes only. Therefore once the certificate is renewed, new certificate is used for both encryption and decryption (files that are encrypted with the current key). Old certificates used to decrypt files encrypted by a certificate public key. Therefore autoentollment don't affect to EFS.http://en-us.sysadmins.lv