Hi, A question regarding certificate, autoenrollment and expiration date. When a computer / user certificate has been setup with autoenrollment, and a gpo has been configured, and the client is able to automatically get this certificate with a GPO. What happens when the expiration date is about the expire, will the client get any information, will the client automatically solve this since it has autoenrollment configured ? Any recommandations when it comes to backup CA server Thanks for reply Ole

HI, You can set auto renewal ... http://technet.microsoft.com/en-us/library/cc731522.aspx If you are enabling certificate autoenrollment, you can select the following check boxes: Renew expired certificates, update pending certificates, and remove revoked certificates enables autoenrollment for certificate renewal, issuance of pending certificate requests, and the automatic removal of revoked certificates from a user's certificate store. Update certificates that use certificate templates enables autoenrollment for issuance of certificates that supersede issued certificates. BR.RipPle

Hi, Ok I see, but will the client notice anything when the certificate is about to expire ? Can I see any information in the event log of the CA that a client certificate is about to expire, or must I only check the Issued Certificates ? Regards Ole

There will be no event logged on the CA that indicates that a certificate is about to expire. Hving said that, you can look in the certificate console at the issued certificates and sort by expiration date to see certificates that are about to expire. I like to export this to a CSV file so I can open it in Excel and work with it easier. To manual for you? You can also write a quick script using certutil: Certutil -view -restrict "disposition=20,certificatetemplate=webserver,notafter<=11/20/2010" -out CommonName,NotAfter Also, I want to make sure you're aware of the automatic renewal mentioned above. You can configure WHEN clients will attempt to renew their certificates with a setting on the template. Specifically "Renewal Period". By default this is set to 6 weeks for most certificates. This means that when the certificate gets within 6 weeks of it's expiration date, the autoenrollment process will automatically try to renew it. With these three options, you should be able to manage certificate expiration. Thanks!

Hi, Thanks for great reply, cleared some questions :) Ole