PKI Question - User Certificate Renewal

Giganews Newsgroups
Subject: PKI Question - User Certificate Renewal
Posted by:  BK (…@discussions.microsoft.com)
Date: Thu, 21 Feb 2008

Question - what is the best practice method of renewing a user certificate, I
am refering to Authoenrollment or CA-Manger apparoval required. In my lab and
customer environment we seem to be having problem when the certificate is
manually approved /issued.

I have tested this in three separate environment . In my lab Environment,
Scenario 1
1.    Auto Enrollment is not enabled on the security template, for the Email
Encryption template.
2.    Under Require the following for re-enrollment  -The radio button is check
for “Same Criteria as for enrollment”
OR
3.    Under Require the following for re-enrollment  -The radio button is check
for “Valid existing certificate”
4.    When user renew the certificate using the Certmgr, the CA Manager will
have to issue the certificate and then export it out.
5.    The user imports the certificate on a client machine, and in my test
environment and the customer test environment. The new certificate will not
have a private Key attached to it.

Scenario 2

1.    Auto Enrollment is enabled on the Security Template for the email
Encryption template
2.    On the Issuance Requirement , There is a Check mark for CA certificate
manager Approval
3.    Under Require the following for re-enrollment  -The radio button is check
for “Same Criteria as for enrollment”
4.    Customer renew the certificate  with the SAME KEY using the CertMGR.MSC,
5.    The CA Manager Issue the certificate and send it to the client to install
it. The client installs the certificate, but no private key gets attached to
the certificate.

Scenario 3

6.    Auto Enrollment is enabled on the Security Template for the email
Encryption template
7.    On the Issuance Requirement , There is a Check mark for CA certificate
manager Approval
8.    Under Require the following for re-enrollment  -The radio button is check
for “Valid existing certificate”
9.    Customer renew the certificate  with the SAME KEY using the CertMGR.MSC,
and the certificate automatically gets installed. This worked in the customer
environment.
10.    Step #4 , I had two different behavior , The difference in the behavior
is that the CA Manager must issue the certificate, and export it to the user
for installation, that I did get in my lab environment at one point during th
testing. The settings are exactly the same settings that are in step 4

11.    There are no documentation anywhere on Microsoft website interim of best
practice of renewing the certificate. David suggested to post the question to
Microsoft forms, and see if I get any responses.

Replies