Autorenew not working when setting up key based renewal - Cep/CES
Solution 1:
Based on your comments, the behavior you face is expected. Client doesn't have Autoenroll
permissions on certificate template in foreign forest.
Since you can enroll and renew certificates manually, you can go to CA server (or ask PKI admin to do this) and look for identity used to authenticate your request (Requester Name
column). This user account must be granted Autoenroll
permissions or add to a global or universal group that has appropriate permissions on that template. Then delete local policy cache and run certutil -pulse
to trigger autoenrollment and attempt to renew the certificate.
Note that if there is more fresh certificate based on same template, autoenrollment won't renew it until 80% of certificate lifetime is passed or template major revision is updated.