Q. We're building a new Windows Certification Authority (CA) hierarchy in our Windows AD forest. We had a single root CA that issued certificates to both user and computer accounts in our AD. Now we're moving to a new two-tier PKI hierarchy. Is there an easy way to automatically re-enroll all certificate holders that received a certificate from the old CA with a new certificate issued by an issuing CA in the new PKI hierarchy? We're already using user and machine certificate auto-enrollment in our AD forest.

A. To force all holders of a particular certificate to automatically enroll for a replacement certificate issued by a CA in your new PKI hierarchy, use the Reenroll all Certificate Holders feature of the Certificate Templates MMC snap-in. All you need to do is right-click the certificate templates you want to reenroll and select Reenroll All Certificate Holders from the context menu, as shown here.

Reenroll all Certificate Holders option in the Certificate Templates MMC snap-in

Reenroll all Certificate Holders option in the Certificate Templates MMC snap-in

Behind the scenes, this action will increment the version number of the certificate templates. This change is then detected by the auto-enrollment service on your Windows workstations and servers that will trigger your users and computers to enroll for certificates of the updated templates.

The auto-enrollment service updates user and computer certificates at the next auto-enrollment pulse. For computers, the auto-enrollment pulse occurs at computer startup and every eight hours. For users, the auto-enrollment pulse occurs at user logon and every eight hours. You can also manually trigger an auto-enrollment pulse by running the following command from the command line:

certutil -pulse

Certutil.exe is included in the Windows Server 2003 Administrative Tools. In later Windows versions, this tool is installed by default.

For this automatic certificate re-enrollment to work, you must also make sure that a specific GPO setting is enabled. In the GPO auto-enrollment properties, you must have the Update certificates that use certificate templates option selected, as illustrated here.

Auto-enrollment properties in the GPO settings

The auto-enrollment properties are located in the Computer Configuration\Windows Settings\Security Settings\Public Key Policies and User Configuration\Windows Settings\Security Settings\Public Key Policies GPO containers. You must enable this option in both the user and computer configuration auto-enrollment properties to allow administrators to force both computers and users to reenroll for an updated certificate template.