locked
Automatic Smart Card Certificate Renewal RRS feed

  • Question

  • We have a problem where our Smart Card certificates are starting to expire but the automatic renewal process is failing.

    Is it actually possible to auto renew Smart Card certs without requiring any user input (other than the PIN)?

    There are two errors in the event log -

    Event ID:      16
    Description:
    Certificate enrollment for <domain>\<username> failed to renew a SmartcardLogon certificate with request ID N/A from <ca server name> (Provider could not perform the action since the context was acquired as silent. 0x80090022 (-2146893790)).

    Event ID:      6
    Automatic certificate enrollment for <domain>\<username> failed (0x80090022) Provider could not perform the action since the context was acquired as silent.

    The certificate template is configured with all the correct permissions (Read,Enroll,AutoEnroll) and group policy is configured with the auto enrolment settings. 

    Thanks in advance.

     

    Thursday, October 30, 2014 11:22 AM

Answers

All replies

  • This may be caused by a incorrect certificate template configuration. In the Request Handling tab (IIRC), there are several radio buttons where you specify whether enrollment may ask for user input during enrollment or not. You need to allow user input during enrollment for smart card templates.

    My weblog: en-us.sysadmins.lv
    PowerShell PKI Module: pspki.codeplex.com
    PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
    Check out new: SSL Certificate Verifier
    Check out new: PowerShell FCIV tool.

    Thursday, October 30, 2014 7:33 PM
  • Thank you Vadims. When I select the Prompt for User input option the users now see an icon in the task tray which prompts them to enrol for a new certificate. Is this as close as we can get to a seamless enrolment (i.e. is there anyway this can happen silently)?

    Thanks
    Chris 


    Friday, October 31, 2014 9:08 AM
  • Nope, silent enrollment for smart cards is not possible.

    My weblog: en-us.sysadmins.lv
    PowerShell PKI Module: pspki.codeplex.com
    PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
    Check out new: SSL Certificate Verifier
    Check out new: PowerShell FCIV tool.

    Friday, October 31, 2014 9:20 AM
  • Ok, that is what I suspected. Thanks for your help Vadims.
    Friday, October 31, 2014 9:23 AM
  • Hello Vadims,

    I know that this thread is outdated, but I have the same problem. Is actually possible (Windows 2016 CA) to have certificate on smart card renewed without any user interaction? It seems that if I select "enroll subject without any user input" or "prompt the user during enrollment" always a pop up appear in the tray bar advinsing user that a certificate need to be renewed.

    Many thanks

    Andrea

    Monday, June 3, 2019 8:40 AM