Click here to get back home

Renew Certificate Automatically
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Renew Certificate Automatically manishjhanji 04-14-2006
Posted by manishjhanji on April 14, 2006, 7:34 pm
Please log in for more thread options
 Hi,

We have a Windows 2000 root CA which would be expiring in next few
months. I understand that we can renew the root CA by following the
steps mentioned at
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/maintain/featusability/c06iis.mspx
section "Reviewing and Renewing the Root CA Certificate".

Is there any option by which following could be achieved-
1) The certificates assigned to the users can be renewed automatically
for the same duration as Root CA?
2) The Updated Personal & Root certificates be pushed to user
desktops?

Will appreciate any help.

Regards,
Manish Jhanji


Posted by Brian Komar [MVP] on April 15, 2006, 7:49 am
Please log in for more thread options
 Some answers inline...

manishjhanji@gmail.com says...
> Hi,
>
> We have a Windows 2000 root CA which would be expiring in next few
> months. I understand that we can renew the root CA by following the
> steps mentioned at
>
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/maintain/featusability/c06iis.mspx
> section "Reviewing and Renewing the Root CA Certificate".
>
> Is there any option by which following could be achieved-
> 1) The certificates assigned to the users can be renewed automatically
> for the same duration as Root CA?
Not with a Windows 2000 CA. Autoenrollment is only available when you
have a Windows Server 2003 enterprise CA running on Windows Server 2003,
enterprise edition. As well, the validity period of the certificates
issued by a CA is limited by several factors:
- Remaining validity period of the CA's certificate
- Values of the ValidityPeriodUnits and ValidityPeriod in the registry
- Lifetime configured for a certificate template (which in your case,
you cannot change as it is a Windows 2000 CA that only issue v1
certificate templates which cannot be editied.

> 2) The Updated Personal & Root certificates be pushed to user
> desktops?
You cannot automatically push personal certificates unless you develop a
script to automate enrollment. The root certificate will automatically
publish into AD (if it is an enterprise CA), or can be published into AD
using certutil from a Windows XP workstation.

Brian

>
> Will appreciate any help.
>
> Regards,
> Manish Jhanji
>
>

Posted by manishjhanji on April 26, 2006, 4:14 am
Please log in for more thread options
Brain,

Thanks for the information. We are currently using Certificates for
EAP-TLS. Is it possible to renew just the root CA and still ensure that
we could achieve authentication between two machines, one having
certificate issued with old root CA certificate and another having a
certificate issue with new root CA certificate? The link
http://72.14.203.104/search?q=cache:ImEb8-8XddAJ:www.microsoft.com/WINDOWS2000/techinfo/administration/security/certutil.asp+Does+Microsoft+CA+root+certificate+renew+required+clients&hl=en&gl=us&ct=clnk&cd=2
talks about "Enable Chaining Through Renewed CA Certificates". Could
we achieve the above points using this stuff?

Any help would be appreciated.

Regards,
Manish Jhanji


Brian wrote:
> Some answers inline...
>
> manishjhanji@gmail.com says...
> > Hi,
> >
> > We have a Windows 2000 root CA which would be expiring in next few
> > months. I understand that we can renew the root CA by following the
> > steps mentioned at
> >
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/maintain/featusability/c06iis.mspx
> > section "Reviewing and Renewing the Root CA Certificate".
> >
> > Is there any option by which following could be achieved-
> > 1) The certificates assigned to the users can be renewed automatically
> > for the same duration as Root CA?
> Not with a Windows 2000 CA. Autoenrollment is only available when you
> have a Windows Server 2003 enterprise CA running on Windows Server 2003,
> enterprise edition. As well, the validity period of the certificates
> issued by a CA is limited by several factors:
> - Remaining validity period of the CA's certificate
> - Values of the ValidityPeriodUnits and ValidityPeriod in the registry
> - Lifetime configured for a certificate template (which in your case,
> you cannot change as it is a Windows 2000 CA that only issue v1
> certificate templates which cannot be editied.
>
> > 2) The Updated Personal & Root certificates be pushed to user
> > desktops?
> You cannot automatically push personal certificates unless you develop a
> script to automate enrollment. The root certificate will automatically
> publish into AD (if it is an enterprise CA), or can be published into AD
> using certutil from a Windows XP workstation.
>
> Brian
>
> >
> > Will appreciate any help.
> >
> > Regards,
> > Manish Jhanji
> >
> >


Similar ThreadsPosted
renew CA certificate September 19, 2005, 3:27 pm
How to renew a certificate via CertEnroll web page September 28, 2006, 9:26 am
CA cert renew July 18, 2007, 9:07 am
how to renew the Root CA with longer key length? March 16, 2006, 3:16 pm
To automatically download and install ActiveX controls November 11, 2005, 6:13 pm
how to stop login credentials being passed automatically? June 23, 2006, 11:37 am
Product to Automatically Change Local Passwords? August 31, 2006, 4:07 am
Automatically force propagation of NTFS permissions...? November 24, 2006, 2:55 am
Added to Domain Admins but removed again automatically March 7, 2008, 1:53 pm
How to automatically inherit permission entries on child objects? January 21, 2006, 7:43 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap