D
DJH
How do you configure a certificate template for Manual enrolment and Auto
renewal?
For example:
I have a web server called “WINSERVER1â€. It hosts a website called
“coolwebsite.localâ€
I request an SSL from the internal CA called coolwebsite.local.
I want that certificate to automatically renew when it expires.
Obviously this has to be a manual enrolment as the server would not know how
to request some random website name in a certificate.
This is what I have configured:
I have an AD Integrated Enterprise issuing CA.
A version 2 certificate template has been created for computer authentication.
Template settings are as follows:
Subject Name Tab -Supply in the request (followed
by a description. The sentence of interest is “Autoenrollment is not allowed
if you choose this option)
Issuance Requirements Tab -Require the following for enrolment: CA
certificate manager approval
-Require the following for reenrolment: Valid existing certificate
Security Tab -AD group allowing Read
Enroll and Autoenroll
A server is added to the AD group that was configured on the Template
permissions tab.
A GPO has been created allowing the server to autoenroll and renew.
A certificate was requested via the web interface http://caname/certsrv
using this template and approved via the Certificate Authorities mmc.
The server then had a certificate with a validity of 1 year.
My expectation was that it would auto renew the certificate when it was due
to expire – using the GPO, Template security, and “Valid existing
certificate†issuance requirement. This has not happened.
Have I configured something incorrectly?
Or
Is it not possible to have manually enrolled and automatically renewed?
renewal?
For example:
I have a web server called “WINSERVER1â€. It hosts a website called
“coolwebsite.localâ€
I request an SSL from the internal CA called coolwebsite.local.
I want that certificate to automatically renew when it expires.
Obviously this has to be a manual enrolment as the server would not know how
to request some random website name in a certificate.
This is what I have configured:
I have an AD Integrated Enterprise issuing CA.
A version 2 certificate template has been created for computer authentication.
Template settings are as follows:
Subject Name Tab -Supply in the request (followed
by a description. The sentence of interest is “Autoenrollment is not allowed
if you choose this option)
Issuance Requirements Tab -Require the following for enrolment: CA
certificate manager approval
-Require the following for reenrolment: Valid existing certificate
Security Tab -AD group allowing Read
Enroll and Autoenroll
A server is added to the AD group that was configured on the Template
permissions tab.
A GPO has been created allowing the server to autoenroll and renew.
A certificate was requested via the web interface http://caname/certsrv
using this template and approved via the Certificate Authorities mmc.
The server then had a certificate with a validity of 1 year.
My expectation was that it would auto renew the certificate when it was due
to expire – using the GPO, Template security, and “Valid existing
certificate†issuance requirement. This has not happened.
Have I configured something incorrectly?
Or
Is it not possible to have manually enrolled and automatically renewed?