Re: EFS certificate renewal

From: Jason Darst (jason_register20002yahoo.com)
Date: 07/30/04 

Date: Fri, 30 Jul 2004 07:26:30 -0700

Thanks Miha for the information. That at least gives me an idea.

"Miha Pihler" <mihap-news@atlantis.si> wrote in
news:Obsm2NbdEHA.1048@tk2msftngp13.phx.gbl:

> Hi Jason,
>
> my answers are in-line. I hope they help,
>
> "Jason Darst" <jason_register20002yahoo.com> wrote in message
> news:Xns9535A60259B9jasonregister2000yah@207.46.248.16...
>> We use EFS in our organization and have a Windows 2003 Enterprise CA
>> issueing the certificates for it. We are approaching the renewal
>> time and I was looking for some details about how Windows 2000 or
>> Windows XP handles the renewal process from the client. I know the
>> high level of once the renewal period is reached, if auto-enrollment
>> and renewal is allowed in group policy the computer will request a
>> renewal
>>
>> The questions come in because we have laptops that go for a long
>> period of time not connected to our network. So the following
>> questions arise:
>>
>> What triggers a renewal request? Access of an EFS certificate?
>> Login to the PC? First bootup? Change in network interfaces?
>> Change in IP address?
>
> Group Policy. When client boots up, it will look for DC to connect to.
>
>> If the computer is not connected when the renewal period is first
>> reached, what happens?
>
> Nothing. Again client tries to connect to DC and update group policy
> and perform tasks defined in group policy.
>
>> If the first renewal request is not successful because the Enterprise
>> CA is not reachable (laptop is external to the network at the time)
>> will it retry?
>
> Yes, it will "retry" -- or better said it will try to renew once it
> can connect to DC and CA server.
>
>> If it retries, what is the trigger for it to retry and how often does
>> it do it?
>
> I would say, till it has a valid certificate -- but it can depend on
> your settings...
>
>> If the expiration period is reached, and group policy says it is to
>> use a specified Enterprise CA and that CA is not reachable, will it
>> still generate a self signed certificate?
>
> Yes.
>
>> Any answers to these questions would be much appreciated. The
>> technet documentation I can find just doesn't go to this level of
>> detail. And I'm worried that I'm going to have laptops that are
>> sporadically connected missing their renewal chances and issueing
>> self signed certificates, whicih would be a mess.
>>
>> Thank you.
>
>

Relevant Pages

  • Re: EFS certificate renewal
    ... >> period of time not connected to our network. ... Access of an EFS certificate? ... > Group Policy. ... >> still generate a self signed certificate? ...
    (microsoft.public.win2000.general)
  • Re: EFS certificate renewal
    ... >> period of time not connected to our network. ... Access of an EFS certificate? ... > Group Policy. ... >> still generate a self signed certificate? ...
    (microsoft.public.windows.server.security)
  • Group Policy loading
    ... connected in to the network. ... wireless newsgroup) that Group Policy is just timing out. ... >>latest Dell and Buffalo firmware and drivers but to no ... >>file to match that of the Dell TrueMobile card. ...
    (microsoft.public.win2000.group_policy)
  • Re: Mapped F Drive - group policy update problem
    ... where is the fast optimization group policy that you ... Always wait for the network at computer startup and logon ... Determines whether Windows XP waits for the network during computer startup ...
    (microsoft.public.windows.server.active_directory)
  • RE: Error binding to local domain
    ... away because I was away for a couple weeks and I do not force permissions on ... The permissions dialog just times out trying to resolve the ... >> following event "Windows cannot query for the list of Group Policy objects. ... >> An Active Directory, network connectivity, or network configuration problem ...
    (microsoft.public.windows.server.sbs)