PCs certificates

We have about 100 PCs and they all authenticated with DC by 802.1X. All the PCs have certificate from our internal CA. We are changing the HASH algorithm from SHA1 to SHA256.
I want to push new certificates to all the PC and server with old issued template.
How do i push new cert to all devices same time?
The template is configure to auto-enroll via GPO. As i understand that renewal will only take place without my intervention.
LVL 2
sara2000Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MaheshArchitectCommented:
Even template is already configured for auto enrollment via gpo, there is no option to forcefully renew computer certificate unless you manually delete cert from computer
Else computers will auto enroll cert when renewal period start
Else configure new template for auto enrollment but still applications can use old cert until it expires
Michael B. SmithManaging ConsultantCommented:
First, in the GPO, ensure that you have "Update certificates that use certificate templates" enabled.

Next, open the Certificate Template MMC and right-click over the template. Select "Re-enroll all certificate holders".

Users re-enroll on logon and every 8 hours (approximately). Computers re-enroll on boot and every 8 hours (approximately).
sara2000Author Commented:
My understanding is that, PC will only re-enroll if it does not have a cert, the PC has a valid cert Why it is going to re-enroll?
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

MaheshArchitectCommented:
Michael is correct, for that option to work, your certificate template must be V2

One more option could be: Create new version 2 (V2) template from existing V1 template with autoenrollment permissions and then within template properties \ under superseded templates add old template, this will renew certificates with new templates
Michael B. SmithManaging ConsultantCommented:
That is the purpose behind "certutil -pulse". You can do one or more manually yourself, if you want, to prove the operation. Or you can supersede the template.
sara2000Author Commented:
What the superseded does?
Is it removing the old and replace with ver2?
Michael B. SmithManaging ConsultantCommented:
no. you create a new cert template based on an old cert template.

In Certificate Templates, right-click on the template you want to update. Select Duplicate Template. On the dialog that opens, go to the Superseded Templates tab and (if it's not already there) add the name of the template you want to replace. Go to the general tab and set all those values appropriately. On the Request Handling tab, check the box for "allow private key to be exported" (or not - whatever your standards are). Fill out the other tabs as appropriate. Save the new template.

Now you can use the new template.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Asif BacchusI.T. ConsultantCommented:
I would recommend using the latest version template you can if at all possible and supercede your older one.  Also, I've ALWAYS had to use 'certutil -pulse' in situations like this.  Michael has you on the right track, just wanted to add my 2 cents about needing that certutil command.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.