automate renew client certificates with the same key
Hi, I am looking for a way to force clients to renew their certificates with the same key. I have recently updated the CA CRL and I am looking for a way to complete this using a script. All of the clients are windows 7 so there is the manual way of completing this but I want to be able to automate it. Any ideas? Thanks, Ciaran
April 12th, 2011 7:37am

why you want to renew them with the same key pair?My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com
Free Windows Admin Tool Kit Click here and download it now
April 12th, 2011 8:06am

Thanks for comming back to me. no real reason to use the same key apart from ease of management and mass duplication in the database. if there is an easier option to renew the certificate with the same key that would be great too. thanks, Ciaran
April 12th, 2011 8:39am

Sorry should also say that this is the default Computer template that we use for authentication.
Free Windows Admin Tool Kit Click here and download it now
April 12th, 2011 9:05am

there is no real benefits from this. Regarding database — each new request (no matter with new or existing key pair) will consume the same space in the DB and will be placed in the new row. You should generate new key pair only if existing is compromised/lost.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com
April 12th, 2011 9:51am

What i need to do here is replace the cert on all of the workstations so that the new CRL entry will be used. i am looking for an automated way to do this (i.e. not manually through MMC). if i keep the existing key or replace is does not eally matter once the cert has been renewed/replaced or updated.
Free Windows Admin Tool Kit Click here and download it now
April 12th, 2011 10:38am

not sure whether you have tried the Autoenrollment feature? ondrej.
April 12th, 2011 1:54pm

autoenrollment always renew certificates with new key pair (with exception when smart card don't have enough space). My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com
Free Windows Admin Tool Kit Click here and download it now
April 12th, 2011 2:57pm

sure, I thought we have settled that the "same-key" requirement was unimportant. ondrej.
April 12th, 2011 2:58pm

Super easy: Re-enroll all certificate holders http://technet.microsoft.com/en-us/library/cc728039(WS.10).aspx Hope this helps!
Free Windows Admin Tool Kit Click here and download it now
April 12th, 2011 10:46pm

Fail...I just saw this was for the default computer template...this won't work on Version 1 templates. Not super easy now :( Another instance where PKI should be more user friendly...ugh. Ultimately you should be using at least version 2 templates. I can't remember if you can achieve the same outcome using the old group policy settings or not...can anyone check if there is a "re-enroll" or similar setting in group policy here: Computer Configuration\Security Settings\Public Key Policies\Automatic Certificate Request Settings I don't think there is but I'm unable to connect to a box that can edit group policy to check.
April 12th, 2011 11:04pm

Thanks for the responses, The cert is configured in AD to auto enrol and will reenrol when it is near expiry. There are no other options that can be configured for the cert in GPO that I can see anyway. Any other ideas? Thanks Again Ciaran
Free Windows Admin Tool Kit Click here and download it now
April 13th, 2011 4:22am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics