Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, August 7, 2013 12:34 AM
I configured Auto Enrollment for computer certificates with our AD CA and it worked fine. However I am now decommissioning the old CA. I've set up a new CA, disabled the old CA from issuing certs (however it is still up for authenticating and CRL).
New computers added to the domain are successfully autoenrolling with my new CA. However computers that currently have a cert with the old CA aren't pulling a certificate. I tried revoking the cert on the old CA, and deleting it from local store, but neither seemed to trigger.
Any suggestions? TIA.
All replies (3)
Friday, August 9, 2013 12:38 PM âś…Answered
Hi,
if you use the same certificate template and the same security permissions on the CA allowing all machines to request a certificate, your clients should request a new certificate from the new CA after you have deleted the certificate. You can run a certutil.exe -pulse or gpupdate /force to trigger the auto-enroll management process.
You can also use the MMC for certificate templates to re-issue certificates to all certificate holders. Make a right mouse click on the certificate template name and select "Reenroll All Certificate Holders".
Regards,
Lutz
Monday, August 12, 2013 12:43 PM
Hi,
Just checking in to see if the suggestion was helpful. Please let us know if you would like further assistance.
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Cataleya Li
TechNet Community Support
Monday, August 12, 2013 2:26 PM
I had to delete the certificate from the local store, and then it would pull after it refreshed group policy.
Thanks.