PCs certificates

sara2000
sara2000 used Ask the Experts™
on
We have about 100 PCs and they all authenticated with DC by 802.1X. All the PCs have certificate from our internal CA. We are changing the HASH algorithm from SHA1 to SHA256.
I want to push new certificates to all the PC and server with old issued template.
How do i push new cert to all devices same time?
The template is configure to auto-enroll via GPO. As i understand that renewal will only take place without my intervention.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
MaheshArchitect
Distinguished Expert 2018

Commented:
Even template is already configured for auto enrollment via gpo, there is no option to forcefully renew computer certificate unless you manually delete cert from computer
Else computers will auto enroll cert when renewal period start
Else configure new template for auto enrollment but still applications can use old cert until it expires
Michael B. SmithManaging Consultant

Commented:
First, in the GPO, ensure that you have "Update certificates that use certificate templates" enabled.

Next, open the Certificate Template MMC and right-click over the template. Select "Re-enroll all certificate holders".

Users re-enroll on logon and every 8 hours (approximately). Computers re-enroll on boot and every 8 hours (approximately).

Author

Commented:
My understanding is that, PC will only re-enroll if it does not have a cert, the PC has a valid cert Why it is going to re-enroll?
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

MaheshArchitect
Distinguished Expert 2018
Commented:
Michael is correct, for that option to work, your certificate template must be V2

One more option could be: Create new version 2 (V2) template from existing V1 template with autoenrollment permissions and then within template properties \ under superseded templates add old template, this will renew certificates with new templates
Michael B. SmithManaging Consultant
Commented:
That is the purpose behind "certutil -pulse". You can do one or more manually yourself, if you want, to prove the operation. Or you can supersede the template.

Author

Commented:
What the superseded does?
Is it removing the old and replace with ver2?
Managing Consultant
Commented:
no. you create a new cert template based on an old cert template.

In Certificate Templates, right-click on the template you want to update. Select Duplicate Template. On the dialog that opens, go to the Superseded Templates tab and (if it's not already there) add the name of the template you want to replace. Go to the general tab and set all those values appropriately. On the Request Handling tab, check the box for "allow private key to be exported" (or not - whatever your standards are). Fill out the other tabs as appropriate. Save the new template.

Now you can use the new template.
Asif BacchusI.T. Consultant

Commented:
I would recommend using the latest version template you can if at all possible and supercede your older one.  Also, I've ALWAYS had to use 'certutil -pulse' in situations like this.  Michael has you on the right track, just wanted to add my 2 cents about needing that certutil command.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial