Hi,To summarize, I have a Windows Server 2003 Standard running a root enterprise certificate authority. Our CA certificate is due to expire in a month and I would like to make sure I don't have any surprises.At the moment we have domaincontroller certificates being automatically issued to our two dc's when they expire along with a caexchange certificate for certificate archival. I have checked group policy and in the domain policy the 'enrollment settings' is set to enroll certificates automatically but the bottom two check boxes are not ticked. There are no certificates in the automatic certificate request setup either so my question is.If I manually request a certificate through certificates snap-in AFTER I renew the CA certificate will the domaincontroller certificate automatically renew itself as it approaches the end of its life (6 weeks before it reaches the certificate life time)?I also have a CAExchange certificate which i'm unsure what it is used for which appears in the issued certificates of certificate authority and there also doesn't seem to be any sign of where it is set to automatically renew.I've had a read through the difference of renewing with a new keypair and renewing with an existing keypair and i'm still a little hazey on what the big difference is (apart from obviously a new key is more secure then an old key).Any help would be great.Thanks.

hi there,to answer you questionRenewal is the issuing of a new certificate for the CA to extend the CA's life beyond the end date of its original certificate. You can renew a CA as a task within the Certificate Authority MMC snap-in or by using the Certutil.exe tool (with the -renewCert command). Each renewal results in a new CA certificate; however, the administrator can either generate a new public/private key pair or reuse the existing public/private key pair for the CA certificate. For consistency and integrity, CA certificates and certificate revocation lists (CRL) issued by the CA before its renewal will be available after the CA has been renewed. To make these available, Certificate Services maintains an index of CA certificates, CRLs, and keys. if you are through with above explanation then.....The CRL index is directly tied to the key index, which is set to the CA certificate index only when a new key pair is used for the renewal. After the first renewal (which used a new key pair), the index of the CRL and key is set to 1, and the CRL and key container name suffix is "(1)". After the second renewal, however, the index of the CRL and key remains 1, and the CRL and key container name suffix also remains "(1)"; this is because the second renewal used the existing key pair and only one CRL is issued for each CA key pair.hope the aboe explanation is helpfulsainath Windows Driver Development

Thanks for your quick response Sainath, I guess what I was also unsure about is how the initial domaincontroller certificates were issued to the domain controllers and how the CAExchange certificate was issued to the server hosting the certificate authority (this is also a domain controller) in our system. I am also unsure how the certificates are being automatically enrolled, our Default Domain Policy GP only has the "enroll certificates automatically" checked, don't you also need the two options under it checked as well for it to work?My understanding (which may be patchy and/or entirely incorrect) is you have two options to issue a certificate (in this case lets look at a domaincontroller certificate) which are automatic certificate request in GP OR manually requesting a certificate in the certificates snap-in of the machine. If a certificate was manually requested in the certificate snap-in will this certificate still be automatically re-issued/enrolled 6 weeks before it is due to expire (assuming that is what is set for that certificate template and the CA certificate is still valid).Will I even need to request new domaincontroller certificates once I renew the CA certificate or will that process happen automatically when they are due for renewal?My concern is if I renew the CA certificate when the current CA certificate expires the domaincontroller certificates and the CAExchange certificates won't continue to automatically be issued and valid.Sorry to be a pain, i'm just a bit cautious... and maybe a little paranoid too0 :P

Hi,Generally, Windows clients will perform automatic renewal of certificates as specified on a per-template basis. Renewal intervals are dictated by the certificate template, which is set to six weeks (before expiration) by default. You dont need that two options in GPO to renew certificates.The autoenrollment process is normally triggered by the Winlogon process, and is designed to be activated and managed by a domain-based Group Policy. Both machine-based and user-based Group Policy can activate autoenrollment for machines and users. By default, the Group Policy is applied at reboot for machines, or at logon for users, and is refreshed every eight hours. The refresh interval can be configured using Group Policy. Autoenrollment is also triggered by an internal timer that activates every eight hours after the last time autoenrollment was activated.For more information, please refer to the following articles.How Autoenrollment Workshttp://technet.microsoft.com/en-us/library/cc787781.aspx Certificate Autoenrollment in Windows Server 2003http://technet.microsoft.com/en-us/library/cc778954.aspxAlthough the process is automatic, starting the process manually may be desired. The Certificates snap-in has a menu option to trigger certificate autoenrollment for the current user or local computer immediately.Certificate autoenrollmenthttp://technet.microsoft.com/en-us/library/cc757629.aspxPlease also refer to the following article to get more information about renewing a CA. Renewing a certification authorityhttp://technet.microsoft.com/en-us/library/cc740209.aspxThanks. This posting is provided "AS IS" with no warranties, and confers no rights.

Thanks Merv, I renewed the ca certificate with the existing key and everything seems to have worked, the domain controllers were just issued their domaincontroller certificate this morning, i'm just waiting on the caexchange certificate now. I was sure it would work but I just needed that reassurance.

Hi ablaw, what was the outcome of the caexchange?