Machine Certificate renewal while connected to VPN
We have recently renewed Subordinate CA certificate which was about expire in another 20 days.
Machine certificates for XP clients in our environment is issued by this subordinate CA server and auto enroll in place.
I recently observed espeially remote users who connect using Cisco VPN client, getting warning message that "your machine certificate <asset number>.<domainname>.com will expire in 10 days.
For one of the client I tried to renew certificate while connected to VPN, I was able renew manually. And verified few machine certificates for PCs in corporate network and found renewed automatically.
Is machine certificate will not get renewed automatically while connected to VPN?
Mahesh
July 12th, 2012 5:12am
the VPN connection is probably too short in duration to let the autoenrollment trigger. Autoenrollment runs periodically at system startup and then every 8 hours recurrently. If you do not have the VPN connected at that time, autoenrollment goes
void. Note that autoenrollment does not run at regular Group Policy update cycles, which are every 120 minutes. Autoenrollment schedule is independent of that of GP updates.
Test this:
once on a VPN client, connect the VPN to intranet and instead of enrolling manually, try pulsing autoenrollment from an elevated command prompt:
gpupdate
certutil -pulse
and see what happens.
ondrej.
Free Windows Admin Tool Kit Click here and download it now
July 12th, 2012 8:34am
You need to make sure that Auto-Enrollment is configured properly to renew expiring certificates on the target computers and the related certificate templates.
Read more on how to enable certificate autoenrollment http://technet.microsoft.com/en-us/library/dd379529
/Hasain
July 12th, 2012 8:34am
Hi ,
Whatever you explained makes sense, group policy updated successfully. When I tried certutil -pulse, got the reply saying pulse commansd completed successfully. Could you please let me know the exact funtion of this command.
Mahesh
Free Windows Admin Tool Kit Click here and download it now
July 12th, 2012 1:21pm
Auto-Enrollment is already in place and its issuing the certificates for clients which are in network. Its only few machines which connect to corporate network using VPN, the certificate is not updatedMahesh
July 12th, 2012 1:24pm
sure, it just triggers the Autoenrollment client to do its autoenrollment cycle. Autoenrollment is the technology behing automatic enrollment of the computer certificates. It runs after every restart and the periodically every 8 hours. It tries to find online
enterprise CAs and sends enrollment requests for certificate templates that are available but don't have a local certificate yet, it also pulls already issued certificates that are pending download, it also archives already expired or revoked certificates.
autoenrollment on Vista/2008+ is done by a scheduled task which resides in the Task Scheduler, Microsoft, CertificateServicesClient. The tasks are configured to run with the period mentioned aforehead. CERTUTIL -pulse just triggers the system task manually.
o.
Free Windows Admin Tool Kit Click here and download it now
July 12th, 2012 3:19pm
sure, it just triggers the Autoenrollment client to do its autoenrollment cycle. Autoenrollment is the technology behing automatic enrollment of the computer certificates. It runs after every restart and the periodically every 8 hours. It tries to find online
enterprise CAs and sends enrollment requests for certificate templates that are available but don't have a local certificate yet, it also pulls already issued certificates that are pending download, it also archives already expired or revoked certificates.
autoenrollment on Vista/2008+ is done by a scheduled task which resides in the Task Scheduler, Microsoft, CertificateServicesClient. The tasks are configured to run with the period mentioned aforehead. CERTUTIL -pulse just triggers the system task manually.
o.
July 12th, 2012 3:27pm
Thank you for the explanation.
But after successful execution of this command also I find the XP client's machine certificate is not updated. But, for sure, autoenrollment is enabled in the environment. How do I validate everything is autoenrollment is working fine in the enviroment.
I hope you answer to my one more query.
We have 2 Enterprise root CA servers in our Domain. we have winxp and win 7 clients in the environment. We have different domain group policy in place for Win 7 and Win XP clients.
What I have observed is, machine certificates are issued by different CA servers for both Win 7 and Winxp clients.
Can we configure two CA servers to issue machine certificates to different clients? if yes how do make this happen?
Please explain, awaiting your reply.Mahesh
Free Windows Admin Tool Kit Click here and download it now
July 16th, 2012 4:06am
Hi,
We could have different certificate templates published on the different CA's for the different clients.
Enable autoenrollment on clients.
Make different client groups have enroll permissions on the different templates.
For more details:
http://technet.microsoft.com/en-us/library/cc947849
http://technet.microsoft.com/en-us/library/cc778954
Regards,
Yan LiYan Li
TechNet Community Support
July 17th, 2012 3:22am
Hi,
We could have different certificate templates published on the different CA's for the different clients.
Enable autoenrollment on clients.
Make different client groups have enroll permissions on the different templates.
For more details:
http://technet.microsoft.com/en-us/library/cc947849
http://technet.microsoft.com/en-us/library/cc778954
Regards,
Yan LiYan Li
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
July 17th, 2012 3:24am
Thanks for your reply.
Mahesh
July 18th, 2012 5:36am