Certificate auto-renewal

Bojan Zivkovic 646 Reputation points

Hi, certificate auto-renewal period started a few days ago and still certificate has not been auto-renewed (log is clear without any errors/info/warnings). In the past, certificate was always auto-renewed on the very first day of auto-renewal period. This is something bothering too much one team depending on LDAPS so I am curious to know is this normal behavior - MS doc I read before stated that auto-renewal process should have taken place but in this case expiring certificate is still there.

Thank you in advance.

0 comments No comments
Sign in to comment

3 answers

  1. Bojan Zivkovic 646 Reputation points

    It seems colleague made some config changes to remediate a vulnerability and in doing so he broke CA - changes reverted and now everything works fine.

    0 comments No comments
    Sign in to comment
  2. Domic Vo 24,370 Reputation points β€’ Independent Advisor

    Hi Bojan Zivkovic,

    The absence of log errors confirms that autoenrollment has not failed; the system simply has not executed its scheduled background check since crossing the renewal threshold. Computer certificate autoenrollment runs as a Group Policy client-side extension during standard background refresh intervals, which occur every ninety minutes with a randomized time offset. Entering the renewal window makes the certificate eligible for replacement, but the background engine does not instantly trigger an update the exact moment the threshold is reached.

    If the application team requires immediate renewal for peace of mind, you can safely force the process manually. Running the command certutil -pulse from an elevated Command Prompt on the Domain Controller instructs the engine to evaluate all machine templates immediately and submit the renewal request to your Certificate Authority without waiting for the next background refresh cycle.

    Domic V.

    0 comments No comments
    Sign in to comment

  3. AI answer

    For Windows environments, behavior can differ depending on how certificate enrollment and renewal are configured.

    From the provided information, two key points are relevant:

    1. Auto-enrollment can mis-handle certificates when they enter the renewal period in some Windows Server 2008 R2 Active Directory Certificate Services scenarios. Specifically, when multiple certificates are issued from the same template and auto-enrollment is configured with β€œRenew expired certificates, update pending certificates, and remove revoked certificates,” a certificate that enters the renewal period may be treated as expired and archived incorrectly. This can lead to service outages because a new certificate is not generated if auto-enrollment is not correctly configured for that template.
    2. In MDM-based scenarios (Windows client certificate renewal via MDM), renewal timing is controlled by the renewal period and retry interval configured through the CertificateStore CSP (RenewPeriod and RenewInterval). The device retries automatic renewal multiple times until the certificate expires. Automatic renewal does not occur if the certificate is already expired, and administrators are advised to configure renewal to start well before expiry (for example, 40–60 days) with retry intervals of a few days.

    Given this, it is possible and supported that renewal does not occur immediately on the first day of the renewal window. The system may:

    • Treat the certificate incorrectly (for example, archive it) in some Windows Server 2008 R2 auto-enrollment cases, or
    • Attempt renewal multiple times over the configured renewal period and retry interval (MDM scenarios) rather than renewing on the first day.

    If LDAPS depends on this certificate, the recommended actions based on the context are:

    • Verify that auto-enrollment is correctly configured for the certificate template and that the template is enabled for auto-enrollment.
    • Ensure that the renewal period and retry interval (if managed via MDM/CertificateStore CSP) are set so renewal starts sufficiently before expiry and retries occur every few days.
    • Confirm that the certificate has not been archived incorrectly when entering the renewal period (especially on Windows Server 2008 R2 with AD CS) and that a new certificate is actually being issued.

    These behaviors mean that not renewing on the very first day of the renewal period can be normal, but misconfiguration or the known auto-enrollment issue can also prevent renewal and cause outages, so configuration and certificate state should be checked carefully.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.
Sign in to answer

Your answer