Guest DJH Posted May 22, 2008 Posted May 22, 2008 How do you configure a certificate template for Manual enrolment and Auto renewal? For example: I have a web server called “WINSERVER1â€Â. It hosts a website called “coolwebsite.local†I request an SSL from the internal CA called coolwebsite.local. I want that certificate to automatically renew when it expires. Obviously this has to be a manual enrolment as the server would not know how to request some random website name in a certificate. This is what I have configured: I have an AD Integrated Enterprise issuing CA. A version 2 certificate template has been created for computer authentication. Template settings are as follows: Subject Name Tab -Supply in the request (followed by a description. The sentence of interest is “Autoenrollment is not allowed if you choose this option) Issuance Requirements Tab -Require the following for enrolment: CA certificate manager approval -Require the following for reenrolment: Valid existing certificate Security Tab -AD group allowing Read Enroll and Autoenroll A server is added to the AD group that was configured on the Template permissions tab. A GPO has been created allowing the server to autoenroll and renew. A certificate was requested via the web interface http://caname/certsrv using this template and approved via the Certificate Authorities mmc. The server then had a certificate with a validity of 1 year. My expectation was that it would auto renew the certificate when it was due to expire – using the GPO, Template security, and “Valid existing certificate†issuance requirement. This has not happened. Have I configured something incorrectly? Or Is it not possible to have manually enrolled and automatically renewed? Quote
Guest Paul Adare Posted May 22, 2008 Posted May 22, 2008 On Wed, 21 May 2008 22:05:00 -0700, DJH wrote: <span style="color:blue"> > Is it not possible to have manually enrolled and automatically renewed?</span> Correct. You also can't do autoenrollment when the subject is supplied in the request, as the template tells you. -- Paul Adare http://www.identit.ca Bubble memory: A derogatory term, usually referring to a person's intelligence. See also "vacuum tube." Quote
Guest DJH Posted May 22, 2008 Posted May 22, 2008 thanks for the prompt reply, we've only just picked this up in our test lab as certs have started to expire, so we have a few weeks to find a workaround for production! "Paul Adare" wrote: <span style="color:blue"> > On Wed, 21 May 2008 22:05:00 -0700, DJH wrote: > <span style="color:green"> > > Is it not possible to have manually enrolled and automatically renewed?</span> > > Correct. You also can't do autoenrollment when the subject is supplied in > the request, as the template tells you. > > -- > Paul Adare > http://www.identit.ca > Bubble memory: A derogatory term, usually referring to a person's > intelligence. See also "vacuum tube." > </span> Quote
Guest Paul Adare Posted May 22, 2008 Posted May 22, 2008 On Wed, 21 May 2008 22:34:00 -0700, DJH wrote: <span style="color:blue"> > we've only just picked this up in our test lab as certs have started to > expire, so we have a few weeks to find a workaround for production!</span> One solution would be to run a scheduled task on your web servers that checks the certificate for expiration and then either fires off an email notification to those responsible to performing the renwal, or, if you want to get really fancy you could also script the renewal. Here's an example script to get you started and to show you the types of things you can do with CAPICOM: ' ' CertExpiryCheck.vbs ' Enumerate certificates with day left for expiry ' Option Explicit Dim SubjectName If WScript.Arguments.Count > 0 Then SubjectName = LCase(WScript.Arguments(0)) Else CommandUsage End If Dim Store, Certificates, Certificate Const CAPICOM_LOCAL_MACHINE_STORE = 1 Const CAPICOM_CERTIFICATE_FIND_SUBJECT_NAME = 1 Const CAPICOM_STORE_OPEN_READ_ONLY = 0 Set Store = CreateObject("CAPICOM.Store") Store.Open CAPICOM_LOCAL_MACHINE_STORE, "MY" ,CAPICOM_STORE_OPEN_READ_ONLY Set Certificates = Store.Certificates.Find(CAPICOM_CERTIFICATE_FIND_SUBJECT_NAME, SubjectName, 0) If Certificates.Count >0 Then For Each Certificate in Certificates 'Certificate.display() 'If you want to see the Cert in UI WScript.Echo " Subject " & Certificate.SubjectName & " " WScript.Echo "Issued by " & Certificate.IssuerName WScript.Echo "Valid from " & Certificate.ValidFromDate & " to " & Certificate.ValidToDate WScript.Echo "Days to expiry " & DateDiff("d",now(),Certificate.ValidToDate) WScript.Echo Next Else WScript.Echo "No certificates with SubjectName => '" & SubjectName & "'" End If Set Certificates = Nothing Set Store = Nothing Sub CommandUsage MsgBox "Usage: CertExpiryCheck.vbs [subjectName] ", vbInformation,"CertExpiryCheck" WScript.Quit(1) End Sub -- Paul Adare http://www.identit.ca To err is human; to really foul things up requires a computer. Quote
Guest DJH Posted May 22, 2008 Posted May 22, 2008 Champion.. thank you, we have some scripting guys who can hopefully rustle something up. Perhaps we can work out a way for this script to run against members of a group, the same group which allows enrollment of the certificate. cheers for your help - its appreciated! "Paul Adare" wrote: <span style="color:blue"> > On Wed, 21 May 2008 22:34:00 -0700, DJH wrote: > <span style="color:green"> > > we've only just picked this up in our test lab as certs have started to > > expire, so we have a few weeks to find a workaround for production!</span> > > One solution would be to run a scheduled task on your web servers that > checks the certificate for expiration and then either fires off an email > notification to those responsible to performing the renwal, or, if you want > to get really fancy you could also script the renewal. Here's an example > script to get you started and to show you the types of things you can do > with CAPICOM: > > ' > ' CertExpiryCheck.vbs > ' Enumerate certificates with day left for expiry > ' > > Option Explicit > Dim SubjectName > If WScript.Arguments.Count > 0 Then > SubjectName = LCase(WScript.Arguments(0)) > Else > CommandUsage > End If > > Dim Store, Certificates, Certificate > Const CAPICOM_LOCAL_MACHINE_STORE = 1 > Const CAPICOM_CERTIFICATE_FIND_SUBJECT_NAME = 1 > Const CAPICOM_STORE_OPEN_READ_ONLY = 0 > > Set Store = CreateObject("CAPICOM.Store") > Store.Open CAPICOM_LOCAL_MACHINE_STORE, "MY" ,CAPICOM_STORE_OPEN_READ_ONLY > Set Certificates = > Store.Certificates.Find(CAPICOM_CERTIFICATE_FIND_SUBJECT_NAME, SubjectName, > 0) > > If Certificates.Count >0 Then > For Each Certificate in Certificates > 'Certificate.display() 'If you want to see the Cert in UI > WScript.Echo " Subject " & Certificate.SubjectName & " " > WScript.Echo "Issued by " & Certificate.IssuerName > WScript.Echo "Valid from " & Certificate.ValidFromDate & " to " & > Certificate.ValidToDate > WScript.Echo "Days to expiry " & > DateDiff("d",now(),Certificate.ValidToDate) > WScript.Echo > Next > Else > WScript.Echo "No certificates with SubjectName => '" & SubjectName & "'" > End If > > Set Certificates = Nothing > Set Store = Nothing > > Sub CommandUsage > MsgBox "Usage: CertExpiryCheck.vbs [subjectName] ", > vbInformation,"CertExpiryCheck" > WScript.Quit(1) > End Sub > -- > Paul Adare > http://www.identit.ca > To err is human; to really foul things up requires a computer. > </span> Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.