Hello,
When my Windows 10 machine certificates enter their renewal period, they go ahead as planned and request their certificate renewals (which are automatically issued by the CA), but then they sometimes reject the issued certificate from the CA and don't install
it.
In the Application event log you can see this corresponding error:
Automatic certificate enrollment for local system failed (0x800b0101) A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
On the workstation I'm currently looking at, this error shows twice in a 1-minute interval, at 8:16 and 8:17 (it seems to happens right after the system start-up at 8:15), and we can see the CA issuing the renewals twice at 8:16 and 8:17 too; but the workstation
rejects it. For some reason the third renewal certificate for that machine was eventually installed successfully at 9:54.
Looking at the System / Windows Time logs, I suspect there could be a few seconds of difference between the CA and the workstation when those errors come up; I mean the issued certificates were probably received on the Windows 10 client a few seconds before their "NotBefore" date so the workstation refuses to install them.
While the ideal solution would obviously be a perfectly time-synced client/server environment 24/7, it is not a really easy task (especially with laptops coming in and out the network anytime) so I'd like to have answers to the following:
=> Is it normal behavior that the Win 10 autoenroll process rejects the certificates that aren't yet valid, even if it requested them?
=> Would it be possible to force Windows 10 clients to accept those certificates even it their 'NotBefore' date is a bit in the future? Would it be an acceptable practise in terms of security / PKI operations (what are the risks with this)?
=> Why could there be a 1-minute interval between the first two attempts then the 3rd one completes over 1 hour later?
=> Is there a way to make the Windows 10 clients more "patient" for auto-enrollment? For example is there a Group Policy or Registry setting that would allow a delay between the time it requests and receives the signed certificate from the CA? Or something to start the AutoEnroll process once the computer has had enough time to properly start-up?
=>Which Windows service does AutoEnrollment depend on? How about setting this service startup mode in "Automatic (Delayed)"?
If somebody knows a good article explaining the AutoEnrollment mechanisms on client side (ideally for Windows 10, even 7), I would appreciate it.