0

I have a Windows Server which started logging this warning event 36/37 days before a certificate's expiry date and I would like to understand what controls/sets this timing and how it can be configured.

The certificate in question was not auto-enrolled.

Ultimately, I would like to use this event to send a notification X days before the cert is going to expire.

The source of this event in Event Viewer is CertificateServicesClient-Lifecycle-System>Operational

See here for more context: https://social.technet.microsoft.com/wiki/contents/articles/14250.certificate-services-lifecycle-notifications.aspx

bchen
  • 3
  • 2

1 Answers1

0

The certificate is considered as "about to expire" in Windows after it reaches 90% of its validity. You can configure this in GPO as specified in referenced TechNet Wiki article's "Settings for Autoenrollment added to Group Policy" section: Computer/User Configuration, Windows Settings, Security Settings, Public Key Policies, Certificate Services Client - Auto-Enrollment.

Crypt32
  • 6,639
  • 1
  • 15
  • 33
  • Does that "log expiry events" setting in the Enrollment Configuration Policy apply for non auto-enrolled certificates like in my case? or if the GPO is not enabled? – bchen Mar 21 '22 at 13:17
  • I just checked and the server in question isn't in the scope of any of our auto enrollment policies. I'm speculating that 90% remaining validity might be a implicit default and I might need to have that GPO applied to the server to adjust it? – bchen Mar 21 '22 at 13:45
  • If policy is not applied, then 90% is default value. – Crypt32 Mar 21 '22 at 14:46
  • Thanks! that bears out in my testing. – bchen Mar 25 '22 at 15:17