Share via

Renew / Recreate User Certificates

Daniel Andryszak 121 Reputation points
2025-11-03T15:13:54.6666667+00:00

We have several remote users that their user certificates have expired.

We are using a single Windows Server CA.

I am trying to renew or create new certificates for the users, export the certificate and send the certificate to the users.

When I try to renew the certificate, I don't have the option to create one for a user other than myself.

Anyone have a good process to accomplish this?

Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Harry Phan 10,695 Reputation points Independent Advisor
    2025-11-03T15:40:30.5166667+00:00

    Hello Daniel Andryszak

    To renew or issue certificates for others using a single Windows Server CA, you need admin rights and a certificate template that grants "Enroll" and "Autoenroll" permissions to the target users or groups. Use the Certification Authority MMC or the certreq tool with a valid request file to generate certificates.

    If you're logged in as yourself, renewals apply to your account. To create certificates for others, either log in as them or use a certificate template with a CA-signed request. After issuing, export the certificate (with or without the private key) and deliver it securely.

    0 comments
  2. Harry Phan 10,695 Reputation points Independent Advisor
    2025-11-03T15:41:24.9433333+00:00

    Oh, in case you need a step by step guide to Issuing User Certificates via Windows Server CA, this is how:

    1. Configure Certificate Template:
      • Open the Certification Authority console.
      • Go to Certificate Templates, right-click the appropriate template (e.g., “User”), and select Properties.
      • Under the Security tab, ensure the users or groups have “Enroll” permissions.
    2. Duplicate and Customize Template (Optional but Recommended):
      • Right-click the “User” template and choose Duplicate Template.
      • On the new template, enable “Allow private key to be exported” if you plan to export the certificate with the key.
      • Publish the new template to the CA.
    3. Generate Certificate Request:
      • Use the MMC Certificates snap-in or certreq tool to generate a certificate request for each user.
      • You can do this on a secure admin machine or script it if you have many users.
    4. Submit and Issue Certificate:
      • Submit the request to the CA via MMC or certreq -submit.
      • Once approved, download the issued certificate.
    5. Export Certificate:
      • Use MMC to export the certificate (with private key if needed) in .PFX format.
      • Set a strong password during export.
    6. Distribute Securely:
      • Send the .PFX file securely to each user (e.g., encrypted email or secure file transfer).
      • Instruct users to import it via MMC or double-click and follow the wizard.
    0 comments
  3. Harry Phan 10,695 Reputation points Independent Advisor
    2025-11-04T12:09:35.4333333+00:00

    Hello Daniel Andryszak

    How is it going? Was it helpful to you? I really hope it does. Please share with me the good news ;)

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.