{"id":4836,"date":"2017-06-27T22:33:05","date_gmt":"2017-06-27T20:33:05","guid":{"rendered":"http:\/\/michlstechblog.info\/blog\/?p=4836"},"modified":"2017-06-29T07:32:03","modified_gmt":"2017-06-29T05:32:03","slug":"windows-renew-a-machine-certificate","status":"publish","type":"post","link":"https:\/\/michlstechblog.info\/blog\/windows-renew-a-machine-certificate\/","title":{"rendered":"Windows: Renew a machine certificate"},"content":{"rendered":"<div class=\"twoclick_social_bookmarks_post_4836 social_share_privacy clearfix 1.6.4 locale-en_US sprite-en_US\"><\/div><div class=\"twoclick-js\"><script type=\"text\/javascript\">\/* <![CDATA[ *\/\njQuery(document).ready(function($){if($('.twoclick_social_bookmarks_post_4836')){$('.twoclick_social_bookmarks_post_4836').socialSharePrivacy({\"services\":{\"flattr\":{\"uid\":\"Michl\",\"status\":\"on\",\"the_title\":\"Windows%3A%20Renew%20a%20machine%20certificate\",\"the_excerpt\":\"Hi%2C%0D%0A%0D%0Ain%20most%20Active%20Directory%20Enviroments%20the%20Certificate%20Enrollment%20is%20active%20which%20generates%20and%20enrolls%20a%20certificate%20for%20each%20client.%20This%20can%20be%20used%20for%20Radius%20authentication%20or%20as%20certificate%20for%20an%20IIS%20webserver.%0D%0A%0D%0ATypically%20the%20client%20renews%20this%20certificate%20itself.%0D%0A%20%28more%26hellip%3B%29\",\"txt_info\":\"2 clicks for more data protection:\\r\\n\\r\\nOnly when you click here, the button will be come active and you can send your recommendation to Flattr. When activating, data are transmitted to third parties. \",\"perma_option\":\"off\"}},\"txt_help\":\"When you activate these fields by clicking, information to Flattr may be transferred abroad, and probably may also stored there.\",\"settings_perma\":\"Enable permanently and accept data transmission. \",\"info_link\":\"http:\\\/\\\/www.heise.de\\\/ct\\\/artikel\\\/2-Klicks-fuer-mehr-Datenschutz-1333879.html\",\"uri\":\"https:\\\/\\\/michlstechblog.info\\\/blog\\\/windows-renew-a-machine-certificate\\\/\",\"post_id\":4836,\"post_title_referrer_track\":\"Windows%3A+Renew+a+machine+certificate\",\"display_infobox\":\"on\"});}});\n\/* ]]> *\/<\/script><\/div><p>Hi,<\/p>\n<p>in most Active Directory Enviroments the Certificate Enrollment is active which generates and enrolls a certificate for each client. This can be used for Radius authentication or as certificate for an IIS webserver.<\/p>\n<p>Typically the client renews this certificate itself.<br \/>\n<!--more--><br \/>\nBut it is also possible to enforce generating of a new certificate.  First determine the serial number of the current certificate.<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nC:\\&gt; certutil  -store My\r\n================ Certificate 1 ================\r\nSerial Number: 70000338A0CAE690EE3144DF050000000338A0 \r\n......\r\n<\/pre>\n<p><!--https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2011\/02\/16\/use-powershell-and-net-to-find-expired-certificates\/--><br \/>\nOr with powershell <\/p>\n<pre class=\"brush: powershell; title: ; notranslate\" title=\"\">\r\n$oMachineStore = New-Object System.Security.Cryptography.X509Certificates.X509Store(\u201cMy\u201d,\u201dLocalMachine\u201d)\r\n$oMachineStore.Open(&quot;ReadOnly&quot;)\r\n$oMachineStore.Certificates|select-object Subject,SerialNumber,Issuer|ft -AutoSize -Wrap\r\nSubject                          SerialNumber                           Issuer\r\n-------                          ------------                           ------\r\nCN=yourHost.yourDomain.org       70000338A0CAE690EE3144DF050000000338A0 CN=addomain.ad\r\n<\/pre>\n<p>To renew an expired certificate with the existing key:<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\ncertreq -enroll -machine -q -PolicyServer * -cert 70000338A0CAE690EE3144DF050000000338A0 renew reusekeys\r\n<\/pre>\n<p>To renew an expired certificate and also generate a new key:<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\ncertreq -enroll -machine -q -PolicyServer * -cert 70000338A0CAE690EE3144DF050000000338A0 renew\r\n<\/pre>\n<p>After generating. certutil show 2 certificates, the new one and the old with attribute &#8220;Archived!&#8221;<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nC:\\&gt; certutil  -store My\r\n================ Certificate 1 ================\r\nSerial Number: 70000338A0CAE690EE3144DF050000000338A0 \r\n......\r\n<\/pre>\n<p>Michael<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hi, in most Active Directory Enviroments the Certificate Enrollment is active which generates and enrolls a certificate for each client. This can be used for Radius authentication or as certificate for an IIS webserver. Typically the client renews this certificate itself.<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[84,1067,1070,1069,651,120,1068,20],"class_list":["post-4836","post","type-post","status-publish","format-standard","hentry","category-windowsknowhow","tag-certificate","tag-certiticate","tag-certreq","tag-certutil","tag-generate","tag-machine","tag-renew","tag-windows-2"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/4836","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/comments?post=4836"}],"version-history":[{"count":16,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/4836\/revisions"}],"predecessor-version":[{"id":4858,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/4836\/revisions\/4858"}],"wp:attachment":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/media?parent=4836"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/categories?post=4836"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/tags?post=4836"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}