B
BK
Question:
I have implemented a PKI infrastruture For Email Encryption and Email
Signature.
The problem i am running into is when testing the renewal of the user
certificate, Using the CERTMGR on the client computer. The client Renew the
certificate by right clicking on it and select renew certificate with the
same key. Then the CA manager approve/ issue the certificate. The CA manager
Export the certifcate and gave it to the intended user to install it. The
intended user install the certificate. The newly install certificate does not
have a private key attatched to it. This setup seems to fail, specifically
for one type of certificate (Exchange User), although it appears to work for
other types of certificate ( digital signature, EFS, code signing).
The only work around seem to be is to allow autoenrollment on the security
template ? is this a requirement for the user renwal to work? specifically
(Exchange User template)??
I have tested this in three separate environment . In my lab Environment,
Scenario 1
1. Auto Enrollment is not enabled on the security template, for the Email
Encryption template.
2. Under Require the following for re-enrollment -The radio button is check
for “Same Criteria as for enrollmentâ€
OR
3. Under Require the following for re-enrollment -The radio button is check
for “Valid existing certificateâ€
4. When user renew the certificate using the Certmgr, the CA Manager will
have to issue the certificate and then export it out.
5. The user imports the certificate on a client machine, and in my test
environment and the customer test environment. The new certificate will not
have a private Key attached to it.
Scenario 2
1. Auto Enrollment is enabled on the Security Template for the email
Encryption template
2. On the Issuance Requirement , There is a Check mark for CA certificate
manager Approval
3. Under Require the following for re-enrollment -The radio button is check
for “Same Criteria as for enrollmentâ€
4. Customer renew the certificate with the SAME KEY using the CertMGR.MSC,
5. The CA Manager Issue the certificate and send it to the client to install
it. The client installs the certificate, but no private key gets attached to
the certificate.
Scenario 3
6. Auto Enrollment is enabled on the Security Template for the email
Encryption template
7. On the Issuance Requirement , There is a Check mark for CA certificate
manager Approval
8. Under Require the following for re-enrollment -The radio button is check
for “Valid existing certificateâ€
9. Customer renew the certificate with the SAME KEY using the CertMGR.MSC,
and the certificate automatically gets installed. This worked in the customer
environment.
10. Step #4 , I had two different behavior , The difference in the behavior
is that the CA Manager must issue the certificate, and export it to the user
for installation, that I did get in my lab environment at one point during th
testing. The settings are exactly the same settings that are in step 4
11. There are no documentation anywhere on Microsoft website interim of best
practice of renewing the certificate. David suggested to post the question to
Microsoft forms, and see if I get any responses.
I have implemented a PKI infrastruture For Email Encryption and Email
Signature.
The problem i am running into is when testing the renewal of the user
certificate, Using the CERTMGR on the client computer. The client Renew the
certificate by right clicking on it and select renew certificate with the
same key. Then the CA manager approve/ issue the certificate. The CA manager
Export the certifcate and gave it to the intended user to install it. The
intended user install the certificate. The newly install certificate does not
have a private key attatched to it. This setup seems to fail, specifically
for one type of certificate (Exchange User), although it appears to work for
other types of certificate ( digital signature, EFS, code signing).
The only work around seem to be is to allow autoenrollment on the security
template ? is this a requirement for the user renwal to work? specifically
(Exchange User template)??
I have tested this in three separate environment . In my lab Environment,
Scenario 1
1. Auto Enrollment is not enabled on the security template, for the Email
Encryption template.
2. Under Require the following for re-enrollment -The radio button is check
for “Same Criteria as for enrollmentâ€
OR
3. Under Require the following for re-enrollment -The radio button is check
for “Valid existing certificateâ€
4. When user renew the certificate using the Certmgr, the CA Manager will
have to issue the certificate and then export it out.
5. The user imports the certificate on a client machine, and in my test
environment and the customer test environment. The new certificate will not
have a private Key attached to it.
Scenario 2
1. Auto Enrollment is enabled on the Security Template for the email
Encryption template
2. On the Issuance Requirement , There is a Check mark for CA certificate
manager Approval
3. Under Require the following for re-enrollment -The radio button is check
for “Same Criteria as for enrollmentâ€
4. Customer renew the certificate with the SAME KEY using the CertMGR.MSC,
5. The CA Manager Issue the certificate and send it to the client to install
it. The client installs the certificate, but no private key gets attached to
the certificate.
Scenario 3
6. Auto Enrollment is enabled on the Security Template for the email
Encryption template
7. On the Issuance Requirement , There is a Check mark for CA certificate
manager Approval
8. Under Require the following for re-enrollment -The radio button is check
for “Valid existing certificateâ€
9. Customer renew the certificate with the SAME KEY using the CertMGR.MSC,
and the certificate automatically gets installed. This worked in the customer
environment.
10. Step #4 , I had two different behavior , The difference in the behavior
is that the CA Manager must issue the certificate, and export it to the user
for installation, that I did get in my lab environment at one point during th
testing. The settings are exactly the same settings that are in step 4
11. There are no documentation anywhere on Microsoft website interim of best
practice of renewing the certificate. David suggested to post the question to
Microsoft forms, and see if I get any responses.