Replace Client Certificates for a removed Certificate Authority
OK, here's the situation. we had 2 Certificate Authorities; (named for the sake of this example, CA1 and CA2). CA1 no longer exists, but many workstations still have Client Certificates issued by it.We have installed SCCM 2012 in Native Mode, which requires certificate authentication to install and run its agent on workstations. SCCM can't verify the certificates issues by the old CA1, because it only has a cert from CA2 to verify against. So, the question is this: How can we force all Workstations which still have Client Certificates from CA1, to disregard this certificate and enrol with a new one from CA2? Many thanks in advance for any pointers / suggestions! Have you tried turning it off and back on again?
April 20th, 2012 8:21am

are these CAs root or intermediate? Generally you must completely decommission old CA server: http://social.technet.microsoft.com/wiki/contents/articles/3527.how-to-decommission-a-windows-enterprise-certification-authority-and-how-to-remove-all-related-objects.aspx and if autoenrollment is configured it will replace invalid certificates with new ones. My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki
Free Windows Admin Tool Kit Click here and download it now
April 20th, 2012 9:04am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics