AboutPricingCommunityTeamsStart Free TrialLog in
Avatar of sara2000
sara2000
 asked on

PCs certificates

We have about 100 PCs and they all authenticated with DC by 802.1X. All the PCs have certificate from our internal CA. We are changing the HASH algorithm from SHA1 to SHA256.
I want to push new certificates to all the PC and server with old issued template.
How do i push new cert to all devices same time?
The template is configure to auto-enroll via GPO. As i understand that renewal will only take place without my intervention.
Active DirectoryPC
Avatar of undefined
Last Comment
Asif Bacchus
8/22/2022 - Mon
Mahesh
Even template is already configured for auto enrollment via gpo, there is no option to forcefully renew computer certificate unless you manually delete cert from computer
Else computers will auto enroll cert when renewal period start
Else configure new template for auto enrollment but still applications can use old cert until it expires
Michael B. Smith
First, in the GPO, ensure that you have "Update certificates that use certificate templates" enabled.

Next, open the Certificate Template MMC and right-click over the template. Select "Re-enroll all certificate holders".

Users re-enroll on logon and every 8 hours (approximately). Computers re-enroll on boot and every 8 hours (approximately).
sara2000
ASKER
My understanding is that, PC will only re-enroll if it does not have a cert, the PC has a valid cert Why it is going to re-enroll?
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
SOLUTION
Mahesh
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
SOLUTION
Michael B. Smith
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
sara2000
ASKER
What the superseded does?
Is it removing the old and replace with ver2?
ASKER CERTIFIED SOLUTION
Michael B. Smith
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Asif Bacchus
I would recommend using the latest version template you can if at all possible and supercede your older one.  Also, I've ALWAYS had to use 'certutil -pulse' in situations like this.  Michael has you on the right track, just wanted to add my 2 cents about needing that certutil command.
Plans and Pricing
Resources
Product
Podcasts
Careers
Contact Us
Teams
Certified Expert Program
Credly Partnership
Udemy Partnership
Privacy Policy
Terms of Use

© 1996-2023 Experts Exchange, LLC. All rights reserved. Covered by US Patent