Windows 7 does not renew CA certificate

  • 206 Views
  • Last Post 18 January 2020
adriaoramos posted this 17 January 2020

Good morning.


I have some windows 7 computers that didn’t renew their computer certificate When I use command “certutil -store my” the certificate is expired, and does not renew It happens only with some windows 7 computers, in a specified date. All others computers are renewing and getting their certificate normally. Is there a way to force computer to contact PKI and renew certificate? Without the certificate they don’t access network,
Thank you

Order By: Standard | Newest | Votes
FAB posted this 17 January 2020

Hi,

 

“certutil -pulse” should trigger the enrollment, given they have the necessary permissions on target templates.

 

--

Kind regards,

Adrian

 

show

adriaoramos posted this 17 January 2020

It did not work


I get the error “system cannot find

specified file”



Thank you

















Adriao

Ferreira Ramos



Equipe

de infraestrutura



Departamento

de Operações e Infraestrutura - CII



tel




+55 11 3388-8193







adriaoramos@xxxxxxxxxxxxxxxx



imprimir







sabesp

sp

face

twiter

youtube









De:      

 "Buta, Adrian"

<adrian.buta@xxxxxxxxxxxxxxxx>


Para:      

 "ActiveDir@xxxxxxxxxxxxxxxx"

<ActiveDir@xxxxxxxxxxxxxxxx>


Data:      

 17/01/2020 08:50


Assunto:    

   RE: Windows

7 does not renew CA certificate


Enviado por:    

   ActiveDir-owner@xxxxxxxxxxxxxxxx








Hi,


 


“certutil -pulse” should trigger the

enrollment, given they have the necessary permissions on target templates.


 


--


Kind regards,


Adrian


 

show

barkills posted this 17 January 2020

So many details you aren’t giving us … it’s hard to know whether you’ve done any troubleshooting at all or are just hoping we can produce magic from a couple bits of information.

 

AD-integrated issuing CA? Or external CA?

You’ve implied this is a machine cert, but not explicitly said so. Is it a machine cert or a user cert?

Has the computer lost its trust relationship with the domain?

Presuming this is an AD-integrated issuing CA, does the computer (or user) have the auto-enroll permission for the certificate template?

What happens when you manually request a cert renewal?

If user cert, did the user login via cached credentials?

What’s in the cert store on the computer having issues? Does that reveal any clues (like a missing private key)?

Is the CRL for the issuing CA published? Have you manually verified you can contact it from the computer having issues?

What’s in the CRL? Is the cert you are trying to renew or any of the certs in the chain revoked?

How about expirations of certs in the chain?

 

That’s just a sample of the kinds of troubleshooting questions you should be thinking about.

 

Brian

 

show

adriaoramos posted this 17 January 2020

Sorry, I will correct it:



We use Cisco anyconnect (ISE) and all our

desktops need to have antivirus, updates and the corticate issued by our

internal PKI. In some Windows 7 desktops the certificate expired on October

20th and they didn’t renew it. I am trying work around this problem and

make them get a new certificate. It happened to some computers and only

Windows 7 OS, after 20th October, everything is working fine.

My problem is to make the ones that didn’t renew work again. I don’t

want to format them.
















Adriao

Ferreira Ramos



Equipe

de infraestrutura



Departamento

de Operações e Infraestrutura - CII



tel




+55 11 3388-8193







adriaoramos@xxxxxxxxxxxxxxxx



imprimir







sabesp

sp

face

twiter

youtube









De:      

 Brian Arkills <barkills@xxxxxxxxxxxxxxxx>


Para:      

 "ActiveDir@xxxxxxxxxxxxxxxx"

<ActiveDir@xxxxxxxxxxxxxxxx>


Cc:      

 "ActiveDir-owner@xxxxxxxxxxxxxxxx"

<ActiveDir-owner@xxxxxxxxxxxxxxxx>


Data:      

 17/01/2020 13:21


Assunto:    

   RE: Windows

7 does not renew CA certificate


Enviado por:    

   ActiveDir-owner@xxxxxxxxxxxxxxxx








So many details you aren’t giving us …

it’s hard to know whether you’ve done any troubleshooting at all or are

just hoping we can produce magic from a couple bits of information.


 


AD-integrated issuing CA? Or external CA?


You’ve implied this is a machine cert,

but not explicitly said so. Is it a machine cert or a user cert?


Has the computer lost its trust relationship

with the domain?


Presuming this is an AD-integrated issuing

CA, does the computer (or user) have the auto-enroll permission for the

certificate template?


What happens when you manually request

a cert renewal?


If user cert, did the user login via cached

credentials?


What’s in the cert store on the computer

having issues? Does that reveal any clues (like a missing private key)?


Is the CRL for the issuing CA published?

Have you manually verified you can contact it from the computer having

issues?


What’s in the CRL? Is the cert you are

trying to renew or any of the certs in the chain revoked?


How about expirations of certs in the chain?


 


That’s just a sample of the kinds of troubleshooting

questions you should be thinking about.


 


Brian


 

show

Ravi.Sabharanjak posted this 18 January 2020

I forgot whether win7 does the cert enrollment with a scheduled task or not. They changed this with one of the recent releases. If it is a built-in scheduled task, you can run that command manually and check the logs. 
I am guessing these machines did not have domain connectivity when the renewal was tried.


show

Close