I'm attempting to set up a certificate template, based on a working one, that will enable Domain Computers to renew their issued certificates automatically before they expire. Despite my efforts, it hasn't been functioning as expected during testing, and I'm unsure what's going wrong.
I've enabled the setting in Group Policy at `ComputerPoliciesWindows SettingsSecurity SettingsPublic Key PoliciesCertificate Services Client - Auto-enrollment`, ensuring both the renew and update certificates options are checked, with expiration logging set to start at 10%.
However, when using `gpupdate /target:computer /force` or `certutil -pulse`, I come across an Event ID 1003 in the Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational log, but it fails to renew the certificates. What could I be overlooking, or where else might I check to figure out why the certificates aren't renewing?
3 Answers
Make sure that your Group Policy settings are applying correctly. You can check the results with `gpresult /h report.html` to confirm that the settings are being enforced on the target machines.
Have you granted the domain computers the necessary permissions on the template? They need to have Read, Enroll, and Autoenroll permissions to successfully renew the certificates.
Also, double-check if your template is configured correctly for auto-enrollment. Sometimes, the template settings can have specific constraints that might need to be adjusted.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures