Its common that sometimes few admins miss the renewal of some key certificates in their Microsoft internal PKI (Public Key Infrastructure), this is due to the fact that its a bit of manual task and you need to set manually some Outlook reminders (My favorite method) or run schedules tasks to remind you before the Certificate expiration date.
However if you a user that logs frequently on this CA (Certificate Authority) server we can enable Auto Enrollment for this user. After configuring it, we don’t need to worry about the expiring certificates as long as the specific user still logs onto the CA.
To Enable Auto Enrollment you need to do the following:
- Right click on the Certificate Template where you need to enable the Auto Enrollment feature
- On the Security Tab (Check below image), add a specific user or grant an existing user the Auto Enroll permission (In my case i picked a normal low privileged service account that connects periodically on the server at least each month for maintenance and installing latest windows updates.)
- Publish the Template and issue the needed certificate.
- Open the Group Policy Management (On your Domain Controller) and either create a new Group policy or simply edit the Default Domain Policy
- Navigate to User Configuration – Policies – Windows Settings – Security Settings – Public Key Policy and enable Autoenrollment as shown below.