PKI Question - User Certificate Renewal

PKI Question - User Certificate Renewal
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
PKI Question - User Certificate Renewal BK 02-21-2008
Posted by =?Utf-8?B?Qks=?= on February 21, 2008, 4:56 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Question - what is the best practice method of renewing a user certificate, I
am refering to Authoenrollment or CA-Manger apparoval required. In my lab and
customer environment we seem to be having problem when the certificate is
manually approved /issued.

I have tested this in three separate environment . In my lab Environment,
Scenario 1
1.        Auto Enrollment is not enabled on the security template, for the Email
Encryption template.
2.        Under Require the following for re-enrollment -The radio button is check
for “Same Criteria as for enrollment”
OR
3.        Under Require the following for re-enrollment -The radio button is check
for “Valid existing certificate”
4.        When user renew the certificate using the Certmgr, the CA Manager will
have to issue the certificate and then export it out.
5.        The user imports the certificate on a client machine, and in my test
environment and the customer test environment. The new certificate will not
have a private Key attached to it.

Scenario 2

1.        Auto Enrollment is enabled on the Security Template for the email
Encryption template
2.        On the Issuance Requirement , There is a Check mark for CA certificate
manager Approval
3.        Under Require the following for re-enrollment -The radio button is check
for “Same Criteria as for enrollment”
4.        Customer renew the certificate with the SAME KEY using the CertMGR.MSC,
5.        The CA Manager Issue the certificate and send it to the client to install
it. The client installs the certificate, but no private key gets attached to
the certificate.

Scenario 3

6.        Auto Enrollment is enabled on the Security Template for the email
Encryption template
7.        On the Issuance Requirement , There is a Check mark for CA certificate
manager Approval
8.        Under Require the following for re-enrollment -The radio button is check
for “Valid existing certificate”
9.        Customer renew the certificate with the SAME KEY using the CertMGR.MSC,
and the certificate automatically gets installed. This worked in the customer
environment.
10.        Step #4 , I had two different behavior , The difference in the behavior
is that the CA Manager must issue the certificate, and export it to the user
for installation, that I did get in my lab environment at one point during th
testing. The settings are exactly the same settings that are in step 4

11.        There are no documentation anywhere on Microsoft website interim of best
practice of renewing the certificate. David suggested to post the question to
Microsoft forms, and see if I get any responses.


Posted by Paul Adare on February 21, 2008, 11:39 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
On Thu, 21 Feb 2008 13:56:00 -0800, BK wrote:

> Question - what is the best practice method of renewing a user certificate, I
> am refering to Authoenrollment or CA-Manger apparoval required. In my lab and
> customer environment we seem to be having problem when the certificate is
> manually approved /issued.

Answered your duplicate post.

--
Paul Adare
MVP - Virtual Machines
http://www.identit.ca
You had mail, but the super-user read it, and deleted it!

Similar ThreadsPosted
PKI User Certificate on Smart Card auto renewal ? August 29, 2007, 11:22 am
S/MIME Certificate renewal in W2K3 - EX2K3 infrastructure October 6, 2008, 2:13 am
"No Certificate Templates Could Be Found" Error Message When User Requests Certificate from CA Web Enrollment Pages September 21, 2006, 1:33 pm
Certificate Request Question March 3, 2006, 10:31 am
Basic EFS Certificate Question April 12, 2006, 11:47 am
Certificate install question February 27, 2007, 10:55 am
Certificate store question February 4, 2008, 1:01 pm
Newbie Client Certificate Question December 1, 2006, 2:22 pm
Question on autoenrollment process with revoked certificate. April 1, 2007, 4:01 am
Question on autoenrollment process with revoked certificate April 1, 2007, 2:03 pm

The site map in XML format XML site map

Contact Us | Privacy Policy