Microsoft KB Archive/270048

= The Auto-Enrollment Objects Do Not Work When a Certification Authority Certificate Is Renewed =

Article ID: 270048

Article Last Modified on 2/23/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server
 * Microsoft Certificate Services 2.0

-



This article was previously published under Q270048



SYMPTOMS
The auto-enrollment objects do not work when a certification authority (CA) certificate is renewed.



CAUSE
This problem can occur because auto-enrollment objects store the hash of the certificate of the CA to identify the CA from which to enroll the specified certificate template. When the CA is renewed, the expiration date of the certificate is extended, which changes the certificate. The hash value of the new certificate does not match the value specified in the auto-enrollment object, which prevents the server or client from automatically enrolling for a new certificate.



RESOLUTION
To resolve this problem, delete the existing auto-enrollment object and create a new object that references the new CA:
 * 1) Identify those policies that are contained in the Automatic Certificate Request Settings folder. There are no default auto-enrollment policies.
 * 2) Open the policy and locate the following tree:

Click Computer Configuration, click Windows Settings, click Security Settings, click Public Key Policy, and then click Automatic Certificate Request Settings.
 * 1) From the list of auto-enrollment objects, select those objects that were issued by the CA whose certificate has since been renewed. The issuing CA can be located by double-clicking the auto-enrollment object.
 * 2) Delete the auto-enrollment objects issued by the renewed CA.
 * 3) Recreate the auto-enrollment object. Right-click the Detail pane, click New, click Automatic Certificate Request, and complete the wizard.
 * 4) Repeat the steps until all deleted auto-enrollment objects have been recreated.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

Keywords: kbcertservices kbprb KB270048

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.