none
DirectAccess-RADIUS-Encrypt-ourhostname.ourdomain.com certificates 5y lifetime is over - How to renew? Or should we? RRS feed

  • Question

  • Hi,

    just discovered that our DirectAccess-RADIUS-Encrypt-ourhostname.ourdomain.com certificate (in Local Computer/Personal/Certificates) has expired. I think it is generated when DirectAccess is setup via wizard.

    What this certificate do? How to renew it?

    I found this when I started to inspect two red cross over our first directaccess server (two server farm, second server is totally healty) health monitor: 

    IP-HTTPS Not working properly: The IP-HTTPS certificate is missing. Causes: The certificate has been removed from the computer store.

    IPsec Not working properly: There is no valid certificate to be used by IPsec which chains to the root/intermediate certificate configured to be used by IPsec in the DirectAccess configuration. Several causes.

    These two errors seems to pump on/off in mysterious interval.  Suddenly everything is green on healty monitor without doing anything and other time this two redcross is back :(  Other certificates (other than da-radius-encrypt) are valid and running.

    Any ideas? :)


    Tsiksuka

    Thursday, November 8, 2018 2:26 PM

All replies

  • Don't worry about the RADIUS-Encrypt certificate. You are correct, that one self-generates when you configure DirectAccess, and as far as I know it's only used by the OTP mechanism. Almost nobody uses OTP with DirectAccess because it goes against the point of automated connectivity with DA, and so these certs are often expired on DA servers. It's not breaking anything.

    I can't recall that I have ever seen an IP-HTTPS certificate error message that comes and goes, if IP-HTTPS is working on that node then I suppose this must be some kind of false-negative reading.

    The IPsec message is one that I see a lot. This happens whenever something changes with your internal CA's root certificate. Most often I see this when someone has renewed their root certificate in the environment. DA knows hash information about what the root CA's root certificate is, and when you update that root cert on the CA server, DA is now referencing an old hash that is no longer valid. DA still continues to work just fine, but that IPsec error shows up.

    All you need to do to fix the IPsec error is make sure the DA servers have a new copy of their machine certificate from the internal CA (just manually request a new copy on each server to make sure it's new), and then re-run through Step 2 of the DA wizards, making sure to choose the root CA with the new expiration date. Once you finish the wizard, give it about 5 minutes and that error message will turn green and stay green.

    Friday, November 9, 2018 11:28 AM