none
Re-issuing new certs to all users transparently if there is a risk certs been compromised RRS feed

  • Question

  • To avoid service disruption what is best method to get new certs auto enrolled to all workstations and computers ?  want a method ideally without revoking the old certificates first until new certs autoenrolled.

    Would selecting Reenroll All Certificate Holders on the relevant template do the job ?  or would that not issue a brand new cert ?

    Friday, April 5, 2013 3:44 PM

Answers

  • all certificates usually stay in local computer or user personal stores undefinitelly, although they are already expired. Autoenrollment just Archives them. You can take a look at the particular personal store using the Certificates MMC console - open the console, right-click the root node (that one which says "Certificates") and select View - Options - enable the checkbox at Archived certificates. You will then see all certificates, some of them with A attribute.

    Autoenrollment just archives certificates which are either expired, revoked or when it itself enrolls for a new certificate from the same template. So in your scenario with "Reenroll all certificate holders", the previous certificates should get archived and will disappear from normal konzole view.

    ondrej.

    • Marked as answer by 朱鸿文 Thursday, May 2, 2013 4:36 AM
    Tuesday, April 9, 2013 8:02 AM
  • no, there is no other relationship. the new certificate will have a different key, serial number, validity period, thumbprint, etc.

    ondrej.

    • Marked as answer by 朱鸿文 Thursday, May 2, 2013 4:36 AM
    Wednesday, April 10, 2013 8:41 PM

All replies

  • Reenroll All Certificate Holders will force autoenroll to enroll a new cert regardless of the state of the existing cert for that template. This assumes autoenroll is enabled for group policy and on the template for that user.

    andrew

    Saturday, April 6, 2013 5:20 AM
  • What happens at the client end.  Does the old certificate still remain untill it expires ?  i.e. do you have the old cert plus the new one ?
    Monday, April 8, 2013 8:53 AM
  • all certificates usually stay in local computer or user personal stores undefinitelly, although they are already expired. Autoenrollment just Archives them. You can take a look at the particular personal store using the Certificates MMC console - open the console, right-click the root node (that one which says "Certificates") and select View - Options - enable the checkbox at Archived certificates. You will then see all certificates, some of them with A attribute.

    Autoenrollment just archives certificates which are either expired, revoked or when it itself enrolls for a new certificate from the same template. So in your scenario with "Reenroll all certificate holders", the previous certificates should get archived and will disappear from normal konzole view.

    ondrej.

    • Marked as answer by 朱鸿文 Thursday, May 2, 2013 4:36 AM
    Tuesday, April 9, 2013 8:02 AM
  • ok so a certificate is archived when the client enrolls for a new certificate from the same templete ?  which is what will happen if the "Reenroll all certificate holders" is selected.  And there is no relationship between the archived certificate and the newly enrolled cert ?  apart from them sharing the same template.

    Tuesday, April 9, 2013 4:04 PM
  • no, there is no other relationship. the new certificate will have a different key, serial number, validity period, thumbprint, etc.

    ondrej.

    • Marked as answer by 朱鸿文 Thursday, May 2, 2013 4:36 AM
    Wednesday, April 10, 2013 8:41 PM
  • Thank-you.
    Thursday, May 2, 2013 10:01 AM