Windows: Renew a machine certificate

Hi,

in most Active Directory Enviroments the Certificate Enrollment is active which generates and enrolls a certificate for each client. This can be used for Radius authentication or as certificate for an IIS webserver.

Typically the client renews this certificate itself.

But it is also possible to enforce generating of a new certificate. First determine the serial number of the current certificate.

C:\> certutil  -store My
================ Certificate 1 ================
Serial Number: 70000338A0CAE690EE3144DF050000000338A0 
......


Or with powershell

$oMachineStore = New-Object System.Security.Cryptography.X509Certificates.X509Store(“My”,”LocalMachine”)
$oMachineStore.Open("ReadOnly")
$oMachineStore.Certificates|select-object Subject,SerialNumber,Issuer|ft -AutoSize -Wrap
Subject                          SerialNumber                           Issuer
-------                          ------------                           ------
CN=yourHost.yourDomain.org       70000338A0CAE690EE3144DF050000000338A0 CN=addomain.ad

To renew an expired certificate with the existing key:

certreq -enroll -machine -q -PolicyServer * -cert 70000338A0CAE690EE3144DF050000000338A0 renew reusekeys

To renew an expired certificate and also generate a new key:

certreq -enroll -machine -q -PolicyServer * -cert 70000338A0CAE690EE3144DF050000000338A0 renew

After generating. certutil show 2 certificates, the new one and the old with attribute “Archived!”

C:\> certutil  -store My
================ Certificate 1 ================
Serial Number: 70000338A0CAE690EE3144DF050000000338A0 
......

Michael

One thought on “Windows: Renew a machine certificate”

  1. “You can only renew certificates that are time valid. Expired certificates cannot be renewed and must be replaced with a new certificate.”
    Source: certreq documentation
    see […]docs.microsoft.com/en-us/windows-server/administration/windows-commands/certreq_1#BKMK_enroll

    Th.N.

Leave a Reply