PKI - Manual Enroll - Auto Renewal - Possible?

D

DJH

How do you configure a certificate template for Manual enrolment and Auto
renewal?

For example:
I have a web server called “WINSERVER1â€. It hosts a website called
“coolwebsite.localâ€
I request an SSL from the internal CA called coolwebsite.local.
I want that certificate to automatically renew when it expires.
Obviously this has to be a manual enrolment as the server would not know how
to request some random website name in a certificate.

This is what I have configured:

I have an AD Integrated Enterprise issuing CA.
A version 2 certificate template has been created for computer authentication.
Template settings are as follows:
Subject Name Tab -Supply in the request (followed
by a description. The sentence of interest is “Autoenrollment is not allowed
if you choose this option)
Issuance Requirements Tab -Require the following for enrolment: CA
certificate manager approval
-Require the following for reenrolment: Valid existing certificate
Security Tab -AD group allowing Read
Enroll and Autoenroll

A server is added to the AD group that was configured on the Template
permissions tab.
A GPO has been created allowing the server to autoenroll and renew.

A certificate was requested via the web interface http://caname/certsrv
using this template and approved via the Certificate Authorities mmc.
The server then had a certificate with a validity of 1 year.

My expectation was that it would auto renew the certificate when it was due
to expire – using the GPO, Template security, and “Valid existing
certificate†issuance requirement. This has not happened.
Have I configured something incorrectly?
Or
Is it not possible to have manually enrolled and automatically renewed?
 
P

Paul Adare

On Wed, 21 May 2008 22:05:00 -0700, DJH wrote:

> Is it not possible to have manually enrolled and automatically renewed?


Correct. You also can't do autoenrollment when the subject is supplied in
the request, as the template tells you.

--
Paul Adare
http://www.identit.ca
Bubble memory: A derogatory term, usually referring to a person's
intelligence. See also "vacuum tube."
 
D

DJH

thanks for the prompt reply,

we've only just picked this up in our test lab as certs have started to
expire, so we have a few weeks to find a workaround for production!



"Paul Adare" wrote:

> On Wed, 21 May 2008 22:05:00 -0700, DJH wrote:
>
> > Is it not possible to have manually enrolled and automatically renewed?

>
> Correct. You also can't do autoenrollment when the subject is supplied in
> the request, as the template tells you.
>
> --
> Paul Adare
> http://www.identit.ca
> Bubble memory: A derogatory term, usually referring to a person's
> intelligence. See also "vacuum tube."
>
 
P

Paul Adare

On Wed, 21 May 2008 22:34:00 -0700, DJH wrote:

> we've only just picked this up in our test lab as certs have started to
> expire, so we have a few weeks to find a workaround for production!


One solution would be to run a scheduled task on your web servers that
checks the certificate for expiration and then either fires off an email
notification to those responsible to performing the renwal, or, if you want
to get really fancy you could also script the renewal. Here's an example
script to get you started and to show you the types of things you can do
with CAPICOM:

'**************************************************
'* CertExpiryCheck.vbs
'* Enumerate certificates with day left for expiry
'**************************************************

Option Explicit
Dim SubjectName
If WScript.Arguments.Count > 0 Then
SubjectName = LCase(WScript.Arguments(0))
Else
CommandUsage
End If

Dim Store, Certificates, Certificate
Const CAPICOM_LOCAL_MACHINE_STORE = 1
Const CAPICOM_CERTIFICATE_FIND_SUBJECT_NAME = 1
Const CAPICOM_STORE_OPEN_READ_ONLY = 0

Set Store = CreateObject("CAPICOM.Store")
Store.Open CAPICOM_LOCAL_MACHINE_STORE, "MY" ,CAPICOM_STORE_OPEN_READ_ONLY
Set Certificates =
Store.Certificates.Find(CAPICOM_CERTIFICATE_FIND_SUBJECT_NAME, SubjectName,
0)

If Certificates.Count >0 Then
For Each Certificate in Certificates
'Certificate.display() 'If you want to see the Cert in UI
WScript.Echo "*** Subject " & Certificate.SubjectName & " ***"
WScript.Echo "Issued by " & Certificate.IssuerName
WScript.Echo "Valid from " & Certificate.ValidFromDate & " to " &
Certificate.ValidToDate
WScript.Echo "Days to expiry " &
DateDiff("d",now(),Certificate.ValidToDate)
WScript.Echo
Next
Else
WScript.Echo "No certificates with SubjectName => '" & SubjectName & "'"
End If

Set Certificates = Nothing
Set Store = Nothing

Sub CommandUsage
MsgBox "Usage: CertExpiryCheck.vbs [SubjectName] ",
vbInformation,"CertExpiryCheck"
WScript.Quit(1)
End Sub
--
Paul Adare
http://www.identit.ca
To err is human to really foul things up requires a computer.
 
D

DJH

Champion.. thank you,

we have some scripting guys who can hopefully rustle something up. Perhaps
we can work out a way for this script to run against members of a group, the
same group which allows enrollment of the certificate.

cheers for your help - its appreciated!



"Paul Adare" wrote:

> On Wed, 21 May 2008 22:34:00 -0700, DJH wrote:
>
> > we've only just picked this up in our test lab as certs have started to
> > expire, so we have a few weeks to find a workaround for production!

>
> One solution would be to run a scheduled task on your web servers that
> checks the certificate for expiration and then either fires off an email
> notification to those responsible to performing the renwal, or, if you want
> to get really fancy you could also script the renewal. Here's an example
> script to get you started and to show you the types of things you can do
> with CAPICOM:
>
> '**************************************************
> '* CertExpiryCheck.vbs
> '* Enumerate certificates with day left for expiry
> '**************************************************
>
> Option Explicit
> Dim SubjectName
> If WScript.Arguments.Count > 0 Then
> SubjectName = LCase(WScript.Arguments(0))
> Else
> CommandUsage
> End If
>
> Dim Store, Certificates, Certificate
> Const CAPICOM_LOCAL_MACHINE_STORE = 1
> Const CAPICOM_CERTIFICATE_FIND_SUBJECT_NAME = 1
> Const CAPICOM_STORE_OPEN_READ_ONLY = 0
>
> Set Store = CreateObject("CAPICOM.Store")
> Store.Open CAPICOM_LOCAL_MACHINE_STORE, "MY" ,CAPICOM_STORE_OPEN_READ_ONLY
> Set Certificates =
> Store.Certificates.Find(CAPICOM_CERTIFICATE_FIND_SUBJECT_NAME, SubjectName,
> 0)
>
> If Certificates.Count >0 Then
> For Each Certificate in Certificates
> 'Certificate.display() 'If you want to see the Cert in UI
> WScript.Echo "*** Subject " & Certificate.SubjectName & " ***"
> WScript.Echo "Issued by " & Certificate.IssuerName
> WScript.Echo "Valid from " & Certificate.ValidFromDate & " to " &
> Certificate.ValidToDate
> WScript.Echo "Days to expiry " &
> DateDiff("d",now(),Certificate.ValidToDate)
> WScript.Echo
> Next
> Else
> WScript.Echo "No certificates with SubjectName => '" & SubjectName & "'"
> End If
>
> Set Certificates = Nothing
> Set Store = Nothing
>
> Sub CommandUsage
> MsgBox "Usage: CertExpiryCheck.vbs [SubjectName] ",
> vbInformation,"CertExpiryCheck"
> WScript.Quit(1)
> End Sub
> --
> Paul Adare
> http://www.identit.ca
> To err is human to really foul things up requires a computer.
>
 
Back
Top Bottom