> Does Windows attempt renewal in this case?
nope. At the point when CA certificate has expired, client certificate is expired too (because client certificate's validity cannot exceed issuer's validity). Expired and revoked certificates are not subjects for renewal. Only initial request is possible in this case.
What happens with a user certificate that is issued by a CA using a template that was configured for automatic renewal, adn the CA cert expires. Does Windows attempt renewal in this case?
> Is your lib capable of building this stuff from scratch as well.
not yet. I have only basic PKCS#7 decoder support and recognize only PKCS#10 embedded requests.
Ur just writing about analyzing PKCS7 encoded enveloped Objects. Is your lib capable of building this stuff from scratch as well. I.E. I want to build a SCEP-Request, where the PKCS10 has to be stored symterically encrypted by lets say DES-CBC wnd the DES-CBC-Key has to be Asymetrically encryptet by lets say RSA all that stuff has to packed as enveloped data PKCS7 and being signed as a PKCS7 data-blob around it. I tried getting that done with Windows-System.Security.Cryptography as well as with BouncyCastle and failed after all because Windows (as you said does NOT provide the stuff I need and BC is providing it withing JCE-Part of the lib which is only available to Java. So when finding your lib I hoped to be there. Just not finding any Doku abt. Building PKCS7 from scratch.
> Is it possible to change the authentication type after the fact to use certificate authentication rather than username/password w/out removing and reinstalling the role?
no, there is no other way. You have to uninstall existing service and install a new one.
© 2008 - 2019 - Sysadmins LV. All rights reserved