Thank,Do you mean if i us CSR and import to computer manually,my computers don't need to join domain,correct?
if i renew the certificate in CA server ,GPO will automatically push cert to domain clients ?
Now when i test with GPO auto enrollment,user certificate is auto install in domain clients but workstation cert cannot install auto to domain clients and cannot authenticate using workstation certificate.But i am still trying to test with user certificate.
Please see Let me know which subject format is the easiest way to cert authentication in 802.1x ?
I also want to know my existing network is already running with one VTI and one DMVPN tunnel in each site.
The all routers are using one rsa key pair and one trustpoint for both tunnels now.But i am not sure what happen if i add new tunnel for dual DMVPN.I worry the existing production network will be down.
Let me know any concern for this scenario ?
I have another question for your previous advice to use different rsa key and trustpoint for two different tunnel.
I also want to know if i create new rsa key with rsa key pair and new trustpoint in existing running runing routers,it will effect to exiting tunnel and certificates ?
Yes, if you create a CSR on the computer it does not need to be joined to the domain.
The ROOT certificate on the CA should be created with a lifetime of 15-20 years, so usually would not need renewing. If you are referring to the identity certificate for the computer/users, this would usually have a lifetime of 2-3 years. The GPO applied to the users/computers can be configured to auto-renew the certificate.
You shouldn't necessarily need to modify the certificates, use the "User" and "Computer" templates.
If you are adding another DMVPN tunnel and it is using the same certificate for authentication, this should be fine.
If you create a new keypair with a unique label this should not impact the existing keypair, just following the configuration previously supplied.