Domain Controller Certificate - Manually requested certificate - can you have CA autorenew? Possible?
-
Thursday, May 03, 2012 11:41 PM
Hello,
Are you able to have a certificate that has been manually requested/signed (using the MMC and sending a request from a server/DC) using a Microsoft CA, automatically renewed before expiration? (just like the default cert renewal at 6 weeks prior to expiration)?
We ran through the wizard on a DC for a DC cert, and don't want to have to manually renew it every year defined in the template we chose from.
I'm looking for an answer to this exact question and if it can be done; what are the step? No alternative suggestions please. There's a specific reason I'm asking this exact question w/o providing too much detail. ;)
Thanks!
All Replies
-
Friday, May 04, 2012 1:14 AM
For details about Certificates the Security forum is the better place :
http://social.technet.microsoft.com/Forums/en/winserversecurity/threadsBest Regards,
Sandesh Dubey.
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. -
Friday, May 04, 2012 2:07 AM
Hi,
This is an older reference to Server 2003, but the behaviour is the same today.
Certificates will attempt to renew at 80% of their life, so long as the actual template specifies a renewal interval. (Hence the reference to this being a per template behaviour)
Ignore the part about requiring Server 2003 Enterprise Edition - unless you're actually running Server 2003 (I'm assuming you're running at least Server 2008).
Cheers,
Lain- Proposed As Answer by Ace Fekay [MCT]MVP Friday, May 04, 2012 3:03 AM
- Marked As Answer by Lawrence LvMicrosoft Contingent Staff, Moderator Friday, May 11, 2012 8:31 AM
-
Friday, May 04, 2012 3:03 AM
Hello,
Are you able to have a certificate that has been manually requested/signed (using the MMC and sending a request from a server/DC) using a Microsoft CA, automatically renewed before expiration? (just like the default cert renewal at 6 weeks prior to expiration)?
We ran through the wizard on a DC for a DC cert, and don't want to have to manually renew it every year defined in the template we chose from.
I'm looking for an answer to this exact question and if it can be done; what are the step? No alternative suggestions please. There's a specific reason I'm asking this exact question w/o providing too much detail. ;)
Thanks!
In addition to Lain's suggestions, are you currently using or familiar with GPO Autoenrollment?
If choose to use Autoenrollment, you'll need a v2 cert. That's only available on Window 2003 Enterprise, 2008 Enterprise, 2008 R2 Standard (without the web enrollment feature), and 2008 R2 Enterprise (full featured).
AD CS Step-By-Step Guide (about setting up a CA with wireless and autoenrollment):
http://www.microsoft.com/DOWNLOADS/details.aspx?familyid=44315BFF-B744-4637-A66B-E69B4955EE45&displaylang=enConfigure Certificate Autoenrollment
http://technet.microsoft.com/en-us/library/cc731522.aspx.
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.phpThis post is provided AS-IS with no warranties or guarantees and confers no rights.
- Marked As Answer by Lawrence LvMicrosoft Contingent Staff, Moderator Friday, May 11, 2012 8:32 AM
-
Friday, May 04, 2012 6:58 PM
Thanks Lain.
I'll give it a try.
We will do the following:
1) Enabled subjectAltNames on AD CS server (W2K8R2 CA server). Now we can configure templates to use this as an option.
2) Duplicated 'Domain Controller' template and called new one "Domain Controller_SubjectAltName"
3) Configured 'Domain Controller_SubjectAltName" to supersede the "Domain Controller" template. (does this mean it does not allow DCs to use the default "Domain Controller" template over the new one? This is what we want)
4) Jumped on each DC and manually ran through wizard to request certificate (during wizard you specify your subjectAltNames you want).
5) Went to CA server and approved requests.
6) Will then reboot each DC to pick up new - CORRECT/WANTED DC cert enabling LDAPS with new certificate - NOT using the default "Domain Controller"template for it's DC cert.
7) Now pray that when the certificates on each DC reach 80% of expiry, they will AUTOMATICALLY renew. Even though the certs were manually added through the certificate request wizard process.
Does this sound correct?I'm really hoping step 7 will work as planned.
Ideas?
-
Friday, May 04, 2012 11:40 PM
Hi,
That sounds fine.
If you're really worried the process isn't going to do what it says it will, then you can run a test first by specifying a small renewal period on the template like 24 hours and renew the certificate. Then, the next day when you come back into work, you'll open up the Application log in Event Viewer and look for the following event:
Source CertificateServicesClient-CertEnroll Event Id 20 Level Information Once you've confirmed the event is there you should have peace of mind. Just remember to put the renewal period back to what it was on the template.
If anecdotal evidence counts for anything though, then I can assure you the process does work, as I have been running automatic renewals for years both in work environments and at home.
Cheers,
Lain- Edited by Lain Robertson Friday, May 04, 2012 11:41 PM Formatting changes.
- Edited by Lain Robertson Friday, May 04, 2012 11:43 PM Formatting.
- Marked As Answer by Lawrence LvMicrosoft Contingent Staff, Moderator Friday, May 11, 2012 8:32 AM
.png)
