Situation: Customer reported that his client authentication PKI certificate issued by the Enterprise CA is set to expire within 30 days and has not be automatically renewed.
Challenge: If the client authentication certificate expires, then eControl connection to Active Directory will fail and managing user account password changes and creating new accounts will no longer work.
Applies to: Windows 2003 Enterprise CA Certificate Services, eControl 3.x for Active Directory
References: Ensure that you consult Microsoft online documentation on PKI Certificate Services for additional information:
Process: The focus of this article is to explain the steps to ensure that:
How to verify the Enterprise CA Root Certificate
On the server hosting the Enterprise CA:
- Load the Certificates MMC and then target it at the computer account (Start run, MMC, File Add/Remove Snap-in, Add, Certificates, Add, Computer Account, Next, Finish, Close, OK)
- Expand the Certificates (Local Computer) and then the Trusted Root Certification Authorities subfolder, then the Certificates folder.
- Locate the CA Root Certificate and verify the Expiration date.
How to renew the Enterprise CA Root Certificate
On the server hosting the Enterprise CA:
- Load the Certification Authority Tool (Start, Administrative Tools, Certification Authority)
- Under 'Certification Authority (local), right-click the CA and choose All Tasks and then Renew CA Certificate ...
- Follow the wizard to renew the CA certificate.
Verify that the Autoenrollment Policy is configured on the Enterprise CA
Before renewing or reissuing client authentication certificates on a DC server, you need to verify that autoenrollment is correctly configured. On the server hosting the Enterprise CA:
- Load the certificate template MMC
- (Start run, MMC, File Add/Remove Snap-in, Add, Certificates Templates, Add, Close, OK)
- Find the Domain Controller Authentication template and double click
- Select the Security TAB
- find the domain Controllers entry and make sure Enroll and Autoenroll is checked in the permissions
- Click OK.
Steps to Renew a soon-to-expire certificate
On the DC server:
- Load the Certificates MMC and then target it at the computer account (Start run, MMC, File Add/Remove Snap-in, Add, Certificates, Add, Computer Account, Next, Finish, Close, OK)
- Expand the Certificates (Local Computer) and then the Personal subfolder, then the Certificates folder.
- Locate the Client Authentication certificate for the Domain Controller and verify the Expiration date.
- If the certificate has not expired, right-click the certificate, choose All Tasks and then Renew Certificate with Same Key ...
- Complete the wizard.
- Run a GPUPDATE /FORCE to force autoenrollment to issue a replacement of the existing certificate.
Steps to Replace an expired certificate
On the DC server:
- Load the Certificates MMC and then target it at the computer account (Start run, MMC, File Add/Remove Snap-in, Add, Certificates, Add, Computer Account, Next, Finish, Close, OK)
- Expand the Certificates (Local Computer) and then the Personal subfolder, then the Certificates folder.
- Locate the Client Authentication certificate for the Domain Controller and verify the Expiration date.
- If the certificate has expired, right-click the certificate, choose All Tasks and then Request Certificate with Same Key ...
- Complete the wizard.
- Run a GPUPDATE /FORCE or reboot the DC server to force autoenrollment to replace the expired certificate.
- Verify that a replacement certificate has been issued to the DC server in the Certificates folder (step 2).
- If a replacement certificate was not issued, delete the expired certificate and rerun a a GPUPDATE /FORCE.
