Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, November 29, 2019 11:20 AM
Hello,
I would like to find precise logs or information on how certificates in the local machine / Personal (My) store are managed in Windows 10. In particular:
- What triggers Windows to request a new certificate from the same template if it already has one that is valid and not yet in its renewal period?
- Why does Windows NOT archive/delete the old (revoked) certificate if it received a new one from the same template?
I'm seeing these above two scenarios from time to time on the environment I'm working with. I suspect that both issues are related to certificate validation / revocation check issues. For example if Windows is not able to check the revocation status of the existing machine certificate, I suppose it will request a new one. And in the second case, I'm afraid that after auto-enrolling and receiving a second certificate, it doesn't see that the previous one is revoked and keeps it in the store.
>> How could I gather evidence to confirm these assumptions? Which logs in Windows would show the revocation checking of local machine / Personal store certificates?
Thanks!
All replies (5)
Wednesday, December 4, 2019 7:13 AM | 1 vote
Hello,
Thank you for posting our TechNet forum.
I did a test in my lab.
- I auto enroll a computer certificate with certificate template (workstation authentication3) on one domain-joined client.
- On the same machine, open Event Viewer->Applications and Services Logs->Microsoft->Windows->CertificateServicesClient-Lifecycle-System (If we auto enroll user certificates, we can check CertificateServicesClient-Lifecycle-User, it is under CertificateServicesClient-Lifecycle-System)->**Operational
**
We can see more information as below, the Event ID is 1006:
*Q1: What triggers Windows to request a new certificate from the same template if it already has one that is valid and not yet in its renewal period?
*A1: We can try the above steps to check.
*
*
Q2: *Why does Windows NOT archive/delete the old (revoked) certificate if it received a new one from the same template?
*
A2: Would you please check:
1.Whether this certificate is revoked or expired?
2.What certificate template do we use?
3.How do we configure this certificate template?
Meanwhile, if it does not work through the above information, would you please cinfirm:
1.How many computers are involved in the problem we mentioned?
2.How many certificate templates are involved in the problem we mentioned?
Best Regards,
Daisy Zhou
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, December 6, 2019 7:03 AM
Hi,
If this question has any update or is this issue solved? Also, for the question, is there any other assistance we could provide?
Best Regards,
Daisy Zhou
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Tuesday, December 10, 2019 10:21 AM
Hi,
Would you please tell me how things are going on your side. If you have any questions or concerns about the information I provided, please don't hesitate to let us know.
Again thanks for your time and have a nice day!
Best Regards,
Daisy Zhou
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Wednesday, December 11, 2019 4:22 PM
Thanks for your answers, Daisy. I'll need to check, but I believe I have "Sign & Encrypt" in the template, and the "Delete revoked or expired certs" box checked.
Although the old certs are definitely revoked at PKI level (auto-revoked when new one with same CN is issued), I'm not sure the workstation knows about it straight away (possible CRL update delay). Could that cause the issue? Aren't Windows clients supposed to clean up older identical certs when receiving a new one from the AutoEnroll server (regardless if it's still valid)?
Monday, December 16, 2019 9:25 AM
Hi,
According to knowledge, if the cetificate exists and the certificate status is OK (i mean the certificate is not expired or revoked), it will not enroll the same certificate automatically.
Best Regards,
Daisy Zhou
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].