Certificate Autoenrollment seems not working for existing certificates


  • Hi All

    This is my first time on this forum, so please let me know if the topic is incorrect.  And, apologize for my English as well.

    I have a problem with Certificate Autoenrollment policy that I have implemented for the company.  The problem is that when users get new laptops then join them to the domain, the existing User certificate are not re-issued.  For the old laptops, if the user and computer certificates are accidentally deleted, the existing ones are not re-issued either.

    However, If I try to revoke the certificates via the CA console, the new one can be issued to the client.

    A bit of background for ADCS environment.  AD Certifcate services is installed on a Windows 2008 R2 Enterprise domain controller.

    The user certificate is duplicated from existing one, and I enable "Publish certificate in Active Directory" and check "Do not automatically reenroll if a duplicate certificate exists in Active Directory" option as well.

    As for GPO, I create a GPO and link it to at the domain level in GPMC.  The "Automatic certificate management" under User Configuration is set to Enabled, and the following options are also Enabled.
    - Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked certificates
    - Update and manager certificates that use certificate templates from Active Directory

    Hopefully, anyone has encountered this before and can help me with solutions.

    Thank you,

    Tuesday, March 29, 2016 5:30 AM


All replies