none
Re-enroll

    Pergunta

  • Scenario: a network device periodically switches to/from SSL and non-secure connections. When leaving secure mode it deletes all of its current certs (client, CA, CRL). When it goes back into secure mode it re-enrolls via SCEP to get a new client cert. It doesn't matter to us if the CA returns the original client cert again or returns a new one just as long as it works.

    Question: Will ADCS NDES handle this ok? The network device isn't re-enrolling in the traditional sense because the previous client cert didn't expire. If that's a problem would it be possible for the network device to tell ADCS to revoke the original client cert first so that the new SCEP request would succeed? Our new system isn't running so I can't test it for myself yet. We're migrating from a different solution to Server 2008 R2. Thanks in advance for the help.

    sexta-feira, 15 de junho de 2012 16:03

Todas as Respostas

  • Hi,


    You can use the Certification Authority snap-in to revoke a certificate, to administer certificate revocation list (CRL) publication, and to specify the CRL Distribution Points (CDPs) published in every certificate issued by the certification authority (CA).


    For details:


    Revoking certificates and publishing CRLs
    http://technet.microsoft.com/en-us/library/cc782162(v=WS.10).aspx


    Best Regards
    Elytis Cheng


    Elytis Cheng

    TechNet Community Support

    terça-feira, 19 de junho de 2012 09:00
    Moderador
  • Thank you for the reply. Can a network device issue a command to ADCS to revoke its own certificate remotely with no human involvement? If not, what will ADCS do if a network device tries to re-enroll when a valid certificate already exists? Will it simply give the existing certificate to the network device again?
    quarta-feira, 20 de junho de 2012 13:43
  • MSDN tech support says that a network device cannot issue a command to ADCS to revoke its own cert. But ADCS doesn't care if the same network device requests new certs while old ones are still valid so it's not an issue.

    quarta-feira, 4 de julho de 2012 22:07