Certificate renewal RRS feed

  • Question

  • I have a failed request in our Root CA related to few computers saying that "The certificate template renewal period is longer than the certificate validity period. The template should be reconfigured, or CA certificate renewed"

    I have renewed the CA certificate. Root CA has the more extended period.

    My concerns are that the PC will ever get the new certificate?
    Is there any way we can force the root CA/PCs to new the certificate immediately?

    Friday, August 3, 2018 3:29 PM

All replies

  • Hi, we have very little information about your PKI landscape, so assuming that you are using a single CA that is the root and also online issuing CA.  The error relates to the remaining lifespan of the certificate relating to the CA that will issue your client computers.

    The new issuing CA certificate will need publishing to AD to enable automatic deployment to domain joined computers.  For non-domain computers you will need to arrange for installation of the new CA cert to each device.

    Monday, August 6, 2018 8:15 AM
  • All the domain-joined computers got the root CA cert in their trusted store.

    The templates were set to auto-enroll as well as GPO.

    I noticed a few computers got their personal cert after  I extended the validity period.

    My concerned is that failed computers, will they retry to renew the certificate?

    • Edited by Mutthu Tuesday, August 7, 2018 3:03 AM
    Tuesday, August 7, 2018 3:01 AM
  • In the case you describe, the certs should be in the machines' store upon GPO refresh which is by default 8 hours but can be executed immediately on any domain-joined machine by

    gpupdate /force at the command line.

    Hope that helps,


    Tuesday, August 7, 2018 5:24 AM
  • i have issue gpupdate /force.

    The personal store still has old  certificates. They have not expired yet.

    Is it the reason, we have not got the new certificates yet?

    Tuesday, August 7, 2018 2:57 PM