D
Deb
We have 4 domain controllers in our environment, all recently
requested a new computer account certificate for the expiring one. All
received a new certificate within 2 days of the request. When I launch
the Certificates MMC, the new certificate is the only one displayed.
However, when attempting SSL communication from outside the domain
using an exported certificate, the handshake never asks for the user
certificate and responds that the certificate has expired. Further
research shows that when directing an SSL request directly to each
domain controller and viewing the certificate (via a browser), they are
in fact still presenting the old certificate. It appears that the
autoenroll process worked all the way up to updating the active
certificate on the domain controller. If I reboot the domain
controller (I've done 3 thus far, leaving one for me to test on), the
new certificate will now be used.
My questions are:
1 - Why wouldn't the autoenroll process put the new certificate in
place automatically - why does it require a reboot (should it?)?
2 - What process in the reboot actually updated the certificate being
used?
3 - Does the certificate actually reside on the server in a file format
(.cer, .p7b, .crt, .cdl, etc.)?
4 - is there a way for me to manually "wake up" the new certificate
without rebooting the server (which I assume is the way that the
autoenroll process was supposed to do it in the first place)?
requested a new computer account certificate for the expiring one. All
received a new certificate within 2 days of the request. When I launch
the Certificates MMC, the new certificate is the only one displayed.
However, when attempting SSL communication from outside the domain
using an exported certificate, the handshake never asks for the user
certificate and responds that the certificate has expired. Further
research shows that when directing an SSL request directly to each
domain controller and viewing the certificate (via a browser), they are
in fact still presenting the old certificate. It appears that the
autoenroll process worked all the way up to updating the active
certificate on the domain controller. If I reboot the domain
controller (I've done 3 thus far, leaving one for me to test on), the
new certificate will now be used.
My questions are:
1 - Why wouldn't the autoenroll process put the new certificate in
place automatically - why does it require a reboot (should it?)?
2 - What process in the reboot actually updated the certificate being
used?
3 - Does the certificate actually reside on the server in a file format
(.cer, .p7b, .crt, .cdl, etc.)?
4 - is there a way for me to manually "wake up" the new certificate
without rebooting the server (which I assume is the way that the
autoenroll process was supposed to do it in the first place)?