I'm testing the Certificate Authority in my lab environment (running Windows 2008 domain).
One thing I found is that right after I installed a new Certificate Authority (enterprise root CA) in the environment, the CA root certificate was pushed to all client machines and added under the "Trusted Root Certification Authorities" store.
However, after the original root certificate expired, and I renewed the root certificate in the CA already, but the new CA root certificate never got pushed to client machines.
I have checked the following two group policies items, but both of them were configured to "Enabled" already. I would like to find out which configuration controls when a CA root certificate got pushed to client machines. Please assist! TIA!!
computer configuration->policies->windows settings->security settings->public key policies->certificate services client-auto-enrollment
user configuration->policies->windows settings->security settings->public key policies->certificate services client auto-enrollment