Link to home
Start Free TrialLog in
Avatar of sara2000
sara2000

asked on

PCs certificates

We have about 100 PCs and they all authenticated with DC by 802.1X. All the PCs have certificate from our internal CA. We are changing the HASH algorithm from SHA1 to SHA256.
I want to push new certificates to all the PC and server with old issued template.
How do i push new cert to all devices same time?
The template is configure to auto-enroll via GPO. As i understand that renewal will only take place without my intervention.
Avatar of Mahesh
Mahesh
Flag of India image

Even template is already configured for auto enrollment via gpo, there is no option to forcefully renew computer certificate unless you manually delete cert from computer
Else computers will auto enroll cert when renewal period start
Else configure new template for auto enrollment but still applications can use old cert until it expires
First, in the GPO, ensure that you have "Update certificates that use certificate templates" enabled.

Next, open the Certificate Template MMC and right-click over the template. Select "Re-enroll all certificate holders".

Users re-enroll on logon and every 8 hours (approximately). Computers re-enroll on boot and every 8 hours (approximately).
Avatar of sara2000
sara2000

ASKER

My understanding is that, PC will only re-enroll if it does not have a cert, the PC has a valid cert Why it is going to re-enroll?
SOLUTION
Avatar of Mahesh
Mahesh
Flag of India image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
What the superseded does?
Is it removing the old and replace with ver2?
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I would recommend using the latest version template you can if at all possible and supercede your older one.  Also, I've ALWAYS had to use 'certutil -pulse' in situations like this.  Michael has you on the right track, just wanted to add my 2 cents about needing that certutil command.