The Auto-Enrollment Objects Do Not Work When a Certification Authority Certificate Is Renewed (270048)

CAUSE

This problem can occur because auto-enrollment objects store the hash of the certificate of the CA to identify the CA from which to enroll the specified certificate template. When the CA is renewed, the expiration date of the certificate is extended, which changes the certificate. The hash value of the new certificate does not match the value specified in the auto-enrollment object, which prevents the server or client from automatically enrolling for a new certificate.

RESOLUTION

To resolve this problem, delete the existing auto-enrollment object and create a new object that references the new CA:

Identify those policies that are contained in the Automatic Certificate Request Settings folder. There are no default auto-enrollment policies.
Open the policy and locate the following tree:

Click Computer Configuration, click Windows Settings, click Security Settings, click Public Key Policy, and then click Automatic Certificate Request Settings.
From the list of auto-enrollment objects, select those objects that were issued by the CA whose certificate has since been renewed. The issuing CA can be located by double-clicking the auto-enrollment object.
Delete the auto-enrollment objects issued by the renewed CA.
Recreate the auto-enrollment object. Right-click the Detail pane, click New, click Automatic Certificate Request, and complete the wizard.
Repeat the steps until all deleted auto-enrollment objects have been recreated.

The Auto-Enrollment Objects Do Not Work When a Certification Authority Certificate Is Renewed (270048)

SYMPTOMS

CAUSE

RESOLUTION

STATUS