We are in the process of setting up a PKI envrionment. One of the certificate templates users will be able to request is for a website SSL certificate. The validity for these SSL certs is set to 2 years with renewal period set at 6 weeks. When the users SSL certificate is 2 years - 6 weeks, the renewal period will begin. My question is: how is the user notified of this? There does not seem to be a mechanism within CA that allows for an email to be sent to the user (or some other mechanism of notification). The enrollment website has an "attributes" text box where you could theoretically put in renewal contact information I suppose. Is this a process that businesses have to create on their own? Is there really nothing within MS PKI that automates this?

Unfrotunately, there is no way to notify users about expiring SSL certificate. Alternatively you can use certificate management pack in OpsMgr or your own custom tool (scripted). p.s. in Windows Server 2012 it is possible to perform autoenrollment for SSL certificates, however users may have to configure IIS (or other application that utilizes SSL certificate) each time the certificate is renewed, because manual binding is required.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Thanks for the answer.