Re: Re-enrollment of Certificate on Win 2000
From: Eduard Koller [MSFT] (eduardk_at_online.microsoft.com)
Date: 07/19/05
- Next message: Chris Weber [Security MVP]: "Re: Is Remote Desktop Connection Login secure over wireless?"
- Previous message: INSUB CHANG: "Re: Class on Rights and Auditing"
- Next in thread: Brian Komar: "Re: Re-enrollment of Certificate on Win 2000"
- Reply: Brian Komar: "Re: Re-enrollment of Certificate on Win 2000"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 18 Jul 2005 18:57:22 -0700
1) When you check the "requires CACertificate Manager approval" checkbox,
all the cert requests will get pended, and will need to be issued by the CA
admin
2) No, I'm not aware of any way of doing this
3) Yes, this is normal. And yes, you should leave the expired certificate
listed in the Issued certificates (you cannot delete them from there
anyway...)
-- Eduard Koller[MS] This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm "Nancy Kafer" <nkafer@homesteaderslife.com> wrote in message news:OQSe0Z1eFHA.4040@TK2MSFTNGP14.phx.gbl... >I am relatively new to PKI and am working with renewing certificates. I >have > a Win 2K3 Enterprise Edition server as my CA. I also have approximately 30 > laptops (running Windows 2000) with VPN certificates. These certificates > are > set to expire during the next few months. I know that if I was running Win > XP my certificates could auto-reenroll. However, I know that I have to use > a > script to renew my Win 2K machines. I have taken a copy of the Enroll.vbs > script from the "Windows Server 2003 PKI Certificate Security" manual and > modified it to account for our environment. > > I have a few of questions about renewing certificates: > > 1) I have the issuance requirements on my VPN certificate set to "CA > Certificate Manager approval" for enrollment and checked "Valid existing > certificate" for re-enrollment. My issue is that when I run the enroll.vbs > script my certificate request gets pended instead of automatically issuing > a > renewal. So then my script fails. I have made sure that I am specifying > /renew as a command line parameter on my cscript command. When I uncheck > the > "CA Certificate Manager" checkbox and re-run the enroll.vbs script my > certificate is issued. Why will the script not automatically renew my > certificate when this box is checked? Is the re-enrollment requirement > only > valid for Win XP? I really don't want to uncheck this box because it is a > security risk. > > 2) Is there a way that when I renew my certificate it uses the existing > fields from the original certificate (e.g. Friendly name)? When I looked > at > the certificate generated via the enroll.vbs script I noticed my friendly > name was gone (may have been other fields that were also different from > the > original certificate). > > 3) When I unchecked the "CA Certificate Manager approval" checkbox and ran > the enroll.vbs script my script ran successfully. I looked at the > certificate on my client and it was updated (verified because before I > renewed the certificate I changed the validity period). When I look on my > Certificate Authority I see a new issued certificate that corresponds to > my > renewed certificate only it had a different serial number. Is this normal? > Should I leave the expired certificate listed in the Issued certificates? > > Thanks for any help. > > Nancy > >
- Next message: Chris Weber [Security MVP]: "Re: Is Remote Desktop Connection Login secure over wireless?"
- Previous message: INSUB CHANG: "Re: Class on Rights and Auditing"
- Next in thread: Brian Komar: "Re: Re-enrollment of Certificate on Win 2000"
- Reply: Brian Komar: "Re: Re-enrollment of Certificate on Win 2000"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
