Hello, I have a few of doubts regarding renewing certificates (using an existing key) from a stand alone issuing CA and would be thankful for any help. 1. While creating a renewal request (using the certreq -new command), executing the command brings up a dialog with the certificate that needs to be renewed. Is there anyway to prevent this and create the request directly? I am not sure why does this dialog come up since the thumbprint in the inf file refers to a single certificate. 2. After I renew the certificate and replace the old one with the new on the client, can I revoke the old certificate on the CA? I would like to prevent unused certificates from being active in the environment. 3. After installing the renewed certificate (using the certreq -accept command), the certificate gets installed in the 'Current User' store on the client even though the original certificate was present in the 'Local Computer' store. Would it be possible to install the renewed certificate in the 'Local Computer' store? Thanks, -p

You need to add MachineKeySet=True to the .inf file you use when you run the certreq -new command Brian

Thanks Brian, the new certificate gets installed in the 'Local Computer' store now. Would you happen to have an idea about the second question? I just want to make sure that revoking the original certificate does not affect the renewed cert in any way. Thanks!

It does not affect the renewed certificate.A CRL entry contains the serial number of the revoked certificate and the revocation reason.The serial number for the renewed certificate is different from the old certificate, so no collision occursBrian

Thanks! I just realized (After you told me about the MachineKeySet) that even though the private key was marked as being exportable in the inf file used to create the original request, it needs to be specified again in the renewal inf file. Now, I am unsure as to what are the properties that need to be specified in the renewal file? From, what I understand, if I do not wish to change key related attributes, I can skip KeyLength. Could you please let me know if I any of the following need to be specified again, KeySpec, SMIME, PrivateKeyArchive, UserProtected, UseExistingKeySet(I think this is for new requests so it can be skipped but not sure), ProviderType, RequestType, ProviderName, KeyUsage and an OID in the EnhancedKeyUsageExtension section?

Sorry, do not know that off the top of my head.I recommend you test the various options (as I would) in a test networkBrian

No problem. Thanks!

Hello, I have a few of doubts regarding renewing certificates (using an existing key) from a stand alone issuing CA and would be thankful for any help. 1. While creating a renewal request (using the certreq -new command), executing the command brings up a dialog with the certificate that needs to be renewed. Is there anyway to prevent this and create the request directly? I am not sure why does this dialog come up since the thumbprint in the inf file refers to a single certificate. 2. After I renew the certificate and replace the old one with the new on the client, can I revoke the old certificate on the CA? I would like to prevent unused certificates from being active in the environment. 3. After installing the renewed certificate (using the certreq -accept command), the certificate gets installed in the 'Current User' store on the client even though the original certificate was present in the 'Local Computer' store. Would it be possible to install the renewed certificate in the 'Local Computer' store? Thanks, -p Do you have the answer to your first question?