none
User certificate not auto-renewing RRS feed

  • Question

  • I have a user certificate that is not auto-renewing. I have checked the user account has Enroll/Auto Enroll permissions on the template and GPO is set for Automatic certificate management to enabled with renew expired certificates and update and manage certificates that use certificate templates from Active Directory. The certificate is issued by an Enterprise CA running on Server 2012 and is a v3 template. I have tried gpupdate, certutil -pulse, and rebooting without success. The cert is due to expire on 5/12/19 so it is within the six week renewal window and it has exceeded 80% of its validity period.

    Other things to note:

    - Auto enrollment works fine

    - The option to store the cert in AD is unchecked, but somehow this same cert is on both of my domain joined computers (same thumbprint)

    - Credential roaming GPO is enabled for a different user cert for SMIME and EFS

    Any ideas on this one?

    Thanks in advance.

    Friday, March 15, 2019 8:55 PM

Answers

  • Renewal does not take place immediately at the designated renewal interval. It is a random value between the expiration date and the designated renewal interval. This is to ensure that the CA is not hit with a glut of renewals annually if a certificate is deployed en mass.

    I think patience is all that is in order here. If you really are worried, you can force autoenrollment by running certmgr.msc to kick off the auto-enroll renewal.

    1. Open certmgr.msc

    2. Right-click Certificates - Current User, point to All Tasks and then click Automatically Enroll and Retrieve Certificates

    The wizard will look to see if any certs are in the autoenroll renewal period and kick of the renewal

    Brian

    • Marked as answer by dt78 Wednesday, March 20, 2019 5:41 PM
    Wednesday, March 20, 2019 3:59 PM

All replies

  • Six weeks from today is 26 April. You have a bit of a wait unless you manually renew.

    Regards,

      Bill

    Bill Stites - PKI Consultant

    PKI Solutions, Inc.

    Bill Stites, PKI Consultant at PKI Solutions, Inc, started in PKI at Providence Health & Services
    in the Pacific Northwest in 2006. He has since consulted in the design and implementation of PKIs
    and certificate management systems in retail, government and insurance organizations.
    He joined PKI Solutions in January 2019.

    Saturday, March 16, 2019 3:09 AM
  • You are not yet within the 6 weeks until expiry so this is a normal behavior.

    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Sunday, March 17, 2019 11:06 PM
  • Thanks for the response. I just realized that the expiration date is incorrect. The correct expiration date is 4/12/19.
    • Proposed as answer by Kallen WangModerator Wednesday, March 20, 2019 9:18 AM
    • Unproposed as answer by dt78 Wednesday, March 20, 2019 2:29 PM
    Monday, March 18, 2019 4:10 PM
  • Hi,

    I am glad to hear that your issue was successfully resolved.

    If there is anything else we can do for you, please feel free to post in the forum.

    Best Regards,

    Kallen


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, March 20, 2019 9:18 AM
    Moderator
  • Actually, the issues isn't resolved and the "answer" isn't accepted. I am still looking for assistance on this. My response was to simply correct a type-o I made in the opening post.
    Wednesday, March 20, 2019 2:29 PM
  • Renewal does not take place immediately at the designated renewal interval. It is a random value between the expiration date and the designated renewal interval. This is to ensure that the CA is not hit with a glut of renewals annually if a certificate is deployed en mass.

    I think patience is all that is in order here. If you really are worried, you can force autoenrollment by running certmgr.msc to kick off the auto-enroll renewal.

    1. Open certmgr.msc

    2. Right-click Certificates - Current User, point to All Tasks and then click Automatically Enroll and Retrieve Certificates

    The wizard will look to see if any certs are in the autoenroll renewal period and kick of the renewal

    Brian

    • Marked as answer by dt78 Wednesday, March 20, 2019 5:41 PM
    Wednesday, March 20, 2019 3:59 PM
  • Hi Brian, thanks for the response. Your explanation does make sense. It just gets to be a little nerve racking when dealing with the possibility that thousands of certs may or may not auto-renew and cause major issues. 
    Wednesday, March 20, 2019 5:41 PM