certutil -store my
The command above can be used to get the required serial number for the cert needing to be renewed. This should show the machine store, if you need certs displayed for the user store remove the “my” keyword.
certreq -enroll -machine -q -PolicyServer * -cert <serial#> renew reusekeys
If you get the following error:
Ensure the machine account has enroll permission on the published certificate template. For step by step guidance follow this blog post by itexperince.
If you get this error “The certificate Authority denied teh request. A required certificate is not within it’s validity period when verifying against currect system clock”:
Ensure the Certificate you are attempting to renew is not already expired.
If it is follow my guide on creating new certs via CLI.
afterwards it should succeed.
*NOTE* this option archives the old certificate, and generates a new one with a new expiration date, with the same key, with a new serial number. How services that are bound to the certificate update themselves, I’m not sure for this test I did not have the certificate bound to any particular services. Verifying this actually the web server using the cert did automatically bind to the new cert, I’d still recommend you verify where the certificate is being used and ensure those services are update/restarted accordingly to apply the changes.
