none
Site Server Didn't Auto-Renew SCCM Client Certificate - Anyone Know Why?

    Question

  • Good morning,

    I saw a bunch of errors in my SCCM log about the site server not responding to HTTP requests.  The only thing I could see was my sccm client cert had expired yesterday at 12:30 PM.  I manually renewed it this morning, but I thought it would request a new cert automatically.  The template is good for another four years so I know the template is solid.  I'm worried in May when the bulk of my user workstations are expired they won't auto-renew.  Anyone know how I can test or determine why it didn't auto renew?  Thanks.
    • Moved by Carol BaileyMicrosoft employee Wednesday, February 24, 2010 8:39 PM Out of scope for Configuration Manager (From:Configuration Manager Internet Clients and Native Mode)
    Wednesday, February 17, 2010 1:34 PM

Answers

All replies

  • This post has been open for a week without any responses so I'm moving it to the Security forum where it will be seen by more people who have experience with troubleshooting Certificate Services.  There's nothing specific to Configuration Manager native mode here - this is a standard computer certificate with client authentication capability that has been deployed via autoenrollment and is not automatically renewing.
    Wednesday, February 24, 2010 8:34 PM
  • First of all, you cannot deploy the standard computer certificate with autoenrollment
    Autoenrollment is only for V2 certificate templates and Computer is a V1 certificate
    (but I think this is Carol paraphrasing)

    You need to properly set up the certificate for autoenrollment and the GPO
    See http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro .mspx for details
    Brian
    Thursday, February 25, 2010 12:28 AM
  • If V2 templates aren't supported by your CA you may use Automatic Certificate Request to deploy V1 template certificates for your computers.:
    http://technet.microsoft.com/en-us/library/cc759371(WS.10).aspx
    http://www.sysadmins.lv
    Thursday, February 25, 2010 6:52 AM
  • And one last thing to add to the discussion here. If your template is configured for a 4 year validity period and you're not getting 4 years then:

    1. You're not actually deploying certificates based on your custom template. Follow Brian's link to make sure that you've got autoenrollment configured correctly.
    2. The remaining lifetime of your CA certificate is less than 4 years. If this is the case renew the CA certificate.
    3. The ValidityPeriod and ValidityPeriodUnits registry values on your CA are configured to be less than 4 years.

    Paul Adare CTO IdentIT Inc. ILM MVP
    Thursday, February 25, 2010 12:11 PM
  • Thanks for helping out.  To clarify "this is a standard computer certificate with client authentication capability", I wasn't referring to the certificate template called "Computer" but to the fact that this certificate that is installed in the computer store (rather than the user store) doesn't require anything special or unusual for Configuration Manager.  The requirements are such that it could be installed by using any certificate template that includes client authentication (1.3.6.1.5.5.7.3.2) in the EKU. The problem seems to be not with automatically installing the certificate, but automatically renewing it. 

    Since manual renewal works, I don't see how it can be a problem with the validity period.

    Where would an automatic renewal request and failure be logged on the client computer to help troubleshoot this scenario?


    - Carol
    Thursday, February 25, 2010 9:33 PM
  • As I stated earlier to troubleshoot autoenrollment (and renewal issues)

    You need to properly set up the certificate for autoenrollment and the GPO
    See http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro .mspx for details
    Brian
    Friday, February 26, 2010 2:20 AM
  • Sorry Carol, the way I read your original post was that since your certificates are all about to expire that not only were you not getting automatic renewal you also weren't getting the certificate lifetime you'd expecteded.

    Brian's link is really the best place to start. You need to make sure that you've got autoenrollment configured correctly in a Group Policy object and that you've got the certificate template permissions configured correctly as far as permissions go.

    Paul Adare CTO IdentIT Inc. ILM MVP
    Friday, February 26, 2010 2:44 PM
  • As I stated earlier to troubleshoot autoenrollment (and renewal issues)

    You need to properly set up the certificate for autoenrollment and the GPO
    See http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro .mspx for details
    Brian

    Unfortunately, this link wasn't working when I tried it.  However, I did find "Certificate Autoenrollment in Windows Server 2003" (http://technet.microsoft.com/en-us/library/cc778954(WS.10).aspx) and specifically the troubleshooting section "Troubleshooting (Certificate Autoenrollment in Windows Server 2003)" - http://technet.microsoft.com/en-us/library/cc755801(WS.10).aspx.  Is this what you were referencing or is there additional online documentation to help this customer?


    - Carol
    Friday, February 26, 2010 8:19 PM
  • You have the correct document
    Brian
    Saturday, February 27, 2010 1:04 AM
  • Thanks for all the help.  Unfortunately allthe settings I was told to check appear correct.  The GPO is set for auto-renewal and it is applied to the site server as well as any DPs (in addition the the client workstations).  Do the computers renew on the day they expire or do they start renewing ahead of time based on a pre-defined grace period (for lack of a better term)?  Just trying to figure out how I can make sure a number of machines aren't left high and dry this May.  Thanks.
    Monday, March 01, 2010 2:09 PM
  • If you look at the certificate template, you'll see a setting named Renewal Period. When the certificate enters that period (subtract the Renewal Period value from the expiry date of the certificate to determine when that period begins) clients will begin requesting renewals.
    Paul Adare CTO IdentIT Inc. ILM MVP
    Monday, March 01, 2010 2:24 PM