Hi all I read from an article in microsoft about the autoenrollment and how it's work (timing & process) From microsoft: "The autoenrollment process is normally triggered by the Winlogon process, and is designed to be activated and managed by a domain-based Group Policy. Both machine-based and user-based Group Policy can activate autoenrollment for machines and users. By default, the Group Policy is applied at reboot for machines, or at logon for users, and is refreshed every eight hours. The refresh interval can be configured using Group Policy. Autoenrollment is also triggered by an internal timer that activates every eight hours after the last time autoenrollment was activated." I use my ca for enroll users and computers and sign mail; In case my ca is down for several hours/days (no recovery option) what we 'll be the impact to my users/computers/mail..? dkotix In case the ca is down

Well as mentioned earlier, this depends on your setup. In geneal during the failure of CA you cannot:1. issue certificates2. issue new CRLs.If you have valid CRL during the failure the only impact is that you cannot issue new certs. In case your CRL is not valid during the failure, clients won't be able verify the certs thus the signed mails cannot be verified and depending on your configuration it might not be possible to use certs for VPN purposes. For example if your CRL validity period is only 1 day but the outage lasts for 5 days, you cannot verify the validity of issued certificates at least for 4 days. Martin

Hi Martin and thanks for your help :-) The users still can use their computer for example login? we will can join new pc to the domain, about the emails i understand that client wont be able to verify the cert. I know that my q is stupid for your level but i am newbie to pki dkotix

Well if you don't use smart cards for login, then login process is independent from your PKI. So yes they can login, use shares, printers etc.Best regardsMartin

hello,the authority is necessary only for two things:- periodic publishing of CRLs which are then downloaded by clients. Each CRL is valid for some time and the authority is not necessary nor contacted at all during that validity period. But if the CA is not running at the end of the period to issue new CRL, from that point on the clients will not be able to validate the certs. This means that some services such as VPN, smart card logon, WiFi/Ethernet 802.1x, RDP will not work at all, while others such as HTTPS, SMTPS, POP3S, IMAPS, RPCoverHTTP, RDP Proxy etc will work althouth the clients will display some errors.- issuance of the certificates to its clients. if the CA is not available online, it will not be able to issue certificates to clients. What could that mean depends on the certificate use in your organization, for instance: a) no new smart cards issued b) no new computers accessing WiFi using 802.1x c) no new computers/users logging on to VPN d) no new SSL servers deployedondrej.

you usually can afford some downtime of CAs because of the CRLs validity period is usually in matters of days or even longer and you usually do not need to provision new computers/users during the short CAs failure.ondrej.

Thanx Martin & Ondrej i really appreciate.... dkotix