Windows: Renew a machine certificate

Hi,

in most Active Directory Enviroments the Certificate Enrollment is active which generates and enrolls a certificate for each client. This can be used for Radius authentication or as certificate for an IIS webserver.

Typically the client renews this certificate itself.

But it is also possible to enforce generating of a new certificate. First determine the serial number of the current certificate.

C:\> certutil  -store My
================ Certificate 1 ================
Serial Number: 70000338A0CAE690EE3144DF050000000338A0 
......


Or with powershell

$oMachineStore = New-Object System.Security.Cryptography.X509Certificates.X509Store(“My”,”LocalMachine”)
$oMachineStore.Open("ReadOnly")
$oMachineStore.Certificates|select-object Subject,SerialNumber,Issuer|ft -AutoSize -Wrap
Subject                          SerialNumber                           Issuer
-------                          ------------                           ------
CN=yourHost.yourDomain.org       70000338A0CAE690EE3144DF050000000338A0 CN=addomain.ad

To renew an expired certificate with the existing key:

certreq -enroll -machine -q -PolicyServer * -cert 70000338A0CAE690EE3144DF050000000338A0 renew reusekeys

To renew an expired certificate and also generate a new key:

certreq -enroll -machine -q -PolicyServer * -cert 70000338A0CAE690EE3144DF050000000338A0 renew

After generating. certutil show 2 certificates, the new one and the old with attribute “Archived!”

C:\> certutil  -store My
================ Certificate 1 ================
Serial Number: 70000338A0CAE690EE3144DF050000000338A0 
......

Michael

Time limit is exhausted. Please reload CAPTCHA.

Original Theme by Schiy · Powered by WordPress