What Process Kicks Off RENEWAL of PKI Certificate

Roger Hendrikse 246 Reputation points
2020-08-02T15:46:35.497+00:00

We have AD integrated PKI setup, which supplies certificate to all our client machines. We have setup the necessary Certificate Template, and allowed auto enroll permissions to all devices. In the Default Policy for our domain, we have enabled the following -

Public Key Policies/Certificate Services Client - Auto-Enrollment Settings
Automatic certificate management - Enabled
Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked certificates - Enabled
Update and manage certificates that use certificate templates from Active Directory - Enabled

This has been working fine, and still is working fine for LAN based machines. However, most of our current users are now working remotely, and only conencting to the VPN for short periods when necessary. Due to an issue with the expiry of our ROOT CA certificate (which has now been resolved) , about 80% of our clients have certificates that are due to expire in November 2020. Renewal period for the template used for these certificates is the default of 6 weeks, so machines would only start renewing certificates from about October 2020.

Most of those clients will still be working remotely, and only connecting to VPN for short periods, so I am looking into ways to confirm that from October, machines will start to renew their certificates when on the VPN. I have created a new certificate template for some test machines which has a life of 3 days, and renewal period of 2 days. Two days ago, I got one of my test machines to auto enroll for the new certificate on the LAN, which it did. I took this machine home, and today, I connected it to the VPN to see if it will renew the certificate, which expires tomorrow. So far, after being on VPN for more than 4 hours, the certificate has not been renewed.

I checked event viewer on the test machine and can see in the Group Policy event viewer logs that it is detecting network change when I connect to VPN, and then processing GPOs, but the certificate is not getting renewed - I assumed that as the certificate was originally auto enrolled during GPO processing, that the renewal would happen at the same time, but this does not seem to be the case. I do not want to run gpupdate /force, as I want to simulate what users would experience.

Which process within Windows will actually look at my machine's certificate, see that it is within it's renewal period and then start the process of requesting a certificate renewal ?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,149 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Daisy Zhou 20,791 Reputation points Microsoft Vendor
    2020-08-03T01:56:01.88+00:00

    Hello RogerHendrikse-7977,

    Thank you for posting here.

    When on the VPN, we can check whether the certificate auto enroll will occur.

    1.Configure the computer certificate autoenroll GPO as above and link the GPO to an OU with test machines.
    2.Take one test machine out of the LAN network, connect this domain-joined machine to VPN.
    3.Run gpupdate /force or wait for 90 minutes-120 minutes to see if the certificate auto enroll will occur.
    4.If it does not work, we can run gpresult /h to check if we can see the computer certificate autoenroll GPO.

    (1)Logon this test machine on the VPN with domain administrator.
    (2)Open CMD (run as Administrator).
    (3)Type gpresult /h C:\enroll.html and click Enter.
    (4)Open enroll.html to check if we can see certificate autoenroll GPO settings under "Computer Details".
    15071-auto.png

    Tips:
    1.Check the Schema version of the test certificate template (we can use 2).
    15081-auto2.png
    2.Ensure we have check the Read Enroll and AutoEnroll permissions on the test certificate template.
    14940-auto3.png

    Meanwhile, for the begaining of the certificate renewal, we can see:

    Renewal. This is the most misunderstood part of the auto-enroll process. Every certificate issued has a renewal period as part of the template. This does not necessarily mean that the certificate will renew at the exact beginning of that period. For renewal of auto-enrolled certificates, two time frames exist before the action is taken.
    First the certificate has to have completed 80% of its validity period and be within the renewal period. So as an example, a certificate that is valid for 1 year reaches the 80% mark at around 41.5 weeks and if the cert has a 6 week renewal period, then the renewal would happen at the 46 week period. SO this would happen during the renewal period.
    If the validity period is 6 months, the 80% mark would be week 21, but the renewal period would begin week 20.

    Reference:
    Tips for Certificate Auto-Enrollment Issuance
    https://blog.keyfactor.com/certificate-auto-enrollment-issuance

    Best Regards,
    Daisy Zhou

    0 comments