I am trying to configure Key Based renewal using WES to support autorenwal of certificates in workgroup computers and untrusted domains.
I have configured CEP (Certificate Authenticatoin, Key Based Renewal) and CES (Certificate Authenticatoin, Key Based Renewal, Read Only Mode).
The client is a server joined to a non trusted domain. I succeed in setting up the CEP throgh GPO. And I am able to renew a certificate manualy throgh MMC.
However the certificate dosn't gets renewed automaticly. I do get eventid 1003 - that the certificate is about to expire. And autoenrolment is enabled throgh GPO. And if i try to manualy renewing - it works.
Any ideas?
Based on your comments, the behavior you face is expected. Client doesn't have
Autoenrollpermissions on certificate template in foreign forest.Since you can enroll and renew certificates manually, you can go to CA server (or ask PKI admin to do this) and look for identity used to authenticate your request (
Requester Namecolumn). This user account must be grantedAutoenrollpermissions or add to a global or universal group that has appropriate permissions on that template. Then delete local policy cache and runcertutil -pulseto trigger autoenrollment and attempt to renew the certificate.Note that if there is more fresh certificate based on same template, autoenrollment won't renew it until 80% of certificate lifetime is passed or template major revision is updated.