> How often client tries to renew certificate?
every time autoenrollment is triggered until it is renewed or expired.
Computer Certificate template default settings for certificate renewal is 6 weeks before certificate expiration.
How often client tries to renew certificate? For example, if local network is not available, or other connection issues. Does computer tries to renew certificate multiple days? Or once a week? How does it work?
Apologies. The Github link was missing in my previous comment.
Finally I got the RSA private key import working in PowerShell Core. My application is using a derived Convert-PemToPfx to do the trick (see https://github.com/PKISolutions/PSPKI/issues/64 for reasoning).
My changes are in __attachRSAPrivateKey() and there I'm using CngKey and RSACng for the import. After failing a lot on the import on PS core, this version of mine finally does the trick.
Feel free to utilize the approach in PSPKI, I certainly borrowed tons of your code in my app.
> And how much will it grow eventually and is crendential roaming a best practise for 802.1x authentication?
in reality, it is about 2-3KB per certificate. For 4k users it will be about 10MB of roaming data. In future it will grow, when users get renewal certificates. Though, the growth isn't permanent, because expired tokens will be deleted. In other words, there will be an impact in AD size and replication bandwidth, but not in compute resources (CPU, memory, disks) even with entry level modern hardware.
For more details check the AskDS article: https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/certs-on-wheels-understanding-credential-roaming/ba-p/395897
© 2008 - 2020 - Sysadmins LV. All rights reserved