EFS certificate renewal

From: Jason Darst (jason_register20002yahoo.com)
Date: 07/29/04 

Date: Thu, 29 Jul 2004 14:19:09 -0700

We use EFS in our organization and have a Windows 2003 Enterprise CA
issueing the certificates for it. We are approaching the renewal time
and I was looking for some details about how Windows 2000 or Windows XP
handles the renewal process from the client. I know the high level of
once the renewal period is reached, if auto-enrollment and renewal is
allowed in group policy the computer will request a renewal

The questions come in because we have laptops that go for a long period
of time not connected to our network. So the following questions arise:

What triggers a renewal request? Access of an EFS certificate? Login to
the PC? First bootup? Change in network interfaces? Change in IP
address?

If the computer is not connected when the renewal period is first
reached, what happens?

If the first renewal request is not successful because the Enterprise CA
is not reachable (laptop is external to the network at the time) will it
retry?

If it retries, what is the trigger for it to retry and how often does it
do it?

If the expiration period is reached, and group policy says it is to use a
specified Enterprise CA and that CA is not reachable, will it still
generate a self signed certificate?

Any answers to these questions would be much appreciated. The technet
documentation I can find just doesn't go to this level of detail. And
I'm worried that I'm going to have laptops that are sporadically
connected missing their renewal chances and issueing self signed
certificates, whicih would be a mess.

Thank you.

Relevant Pages

  • EFS certificate renewal
    ... We use EFS in our organization and have a Windows 2003 Enterprise CA ... If the computer is not connected when the renewal period is first ... If the first renewal request is not successful because the Enterprise CA ... certificates, ...
    (microsoft.public.win2000.general)
  • EFS certificate renewal
    ... We use EFS in our organization and have a Windows 2003 Enterprise CA ... If the computer is not connected when the renewal period is first ... If the first renewal request is not successful because the Enterprise CA ... certificates, ...
    (microsoft.public.windows.server.security)
  • Dual Enterprise CAs?
    ... I upgraded our Enterprise CA from Windows 2000 to Windows 2003 ... Standard and it now refuses to issue certificates. ... Although logging on to wireless is broken at the moment, ...
    (microsoft.public.windows.server.general)
  • Re: Stand-alone Root CA.
    ... If you are using an Active Directory domain you should consider an ... Enterprise CA to make it easier to issue and manage certificates to domain ... It is pretty much the same for Windows 2003 though Windows ...
    (microsoft.public.security)
  • [NT] Windows File Protection Arbitrary Certificate Chain Vulnerability
    ... Beyond Security would like to welcome Tiscali World Online ... Windows File Protection will trust any digital signature whose certificate ... chain is rooted at any one of the Trusted Root Certification Authorities. ... chains but also as valid Root CA's for code signing certificates. ...
    (Securiteam)