Warning: iconv_mime_decode() [function.iconv-mime-decode]: Malformed string in /home/secureg/public_html/lib/standard.lib.php on line 2251

Warning: iconv_mime_decode() [function.iconv-mime-decode]: Malformed string in /home/secureg/public_html/lib/standard.lib.php on line 2251
PKI - Manual Enroll - Auto Renewal - Possible?
PKI - Manual Enroll - Auto Renewal - Possible?

PKI - Manual Enroll - Auto Renewal - Possible?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
PKI - Manual Enroll - Auto Renewal - Possible? DJH 05-22-2008
Posted by =?Utf-8?B?REpI?= on May 22, 2008, 1:05 am
If you were  Registered and logged in, you could reply and use other advanced thread options
How do you configure a certificate template for Manual enrolment and Auto
renewal?

For example:
I have a web server called “WINSERVER1”. It hosts a website called
“coolwebsite.local”
I request an SSL from the internal CA called coolwebsite.local.
I want that certificate to automatically renew when it expires.
Obviously this has to be a manual enrolment as the server would not know how
to request some random website name in a certificate.

This is what I have configured:

I have an AD Integrated Enterprise issuing CA.
A version 2 certificate template has been created for computer authentication.
Template settings are as follows:
Subject Name Tab -Supply in the request (followed
by a description. The sentence of interest is “Autoenrollment is not allowed
if you choose this option)
Issuance Requirements Tab -Require the following for enrolment: CA
certificate manager approval
-Require the following for reenrolment: Valid existing certificate
Security Tab -AD group allowing Read
Enroll and Autoenroll

A server is added to the AD group that was configured on the Template
permissions tab.
A GPO has been created allowing the server to autoenroll and renew.

A certificate was requested via the web interface http://caname/certsrv
using this template and approved via the Certificate Authorities mmc.
The server then had a certificate with a validity of 1 year.

My expectation was that it would auto renew the certificate when it was due
to expire – using the GPO, Template security, and “Valid existing
certificate” issuance requirement. This has not happened.
Have I configured something incorrectly?
Or
Is it not possible to have manually enrolled and automatically renewed?




Posted by Paul Adare on May 22, 2008, 1:14 am
If you were  Registered and logged in, you could reply and use other advanced thread options
On Wed, 21 May 2008 22:05:00 -0700, DJH wrote:

> Is it not possible to have manually enrolled and automatically renewed?

Correct. You also can't do autoenrollment when the subject is supplied in
the request, as the template tells you.

--
Paul Adare
http://www.identit.ca
Bubble memory: A derogatory term, usually referring to a person's
intelligence. See also "vacuum tube."

Posted by =?Utf-8?B?REpI?= on May 22, 2008, 1:34 am
If you were  Registered and logged in, you could reply and use other advanced thread options
thanks for the prompt reply,

we've only just picked this up in our test lab as certs have started to
expire, so we have a few weeks to find a workaround for production!



"Paul Adare" wrote:

> On Wed, 21 May 2008 22:05:00 -0700, DJH wrote:
>
> > Is it not possible to have manually enrolled and automatically renewed?
>
> Correct. You also can't do autoenrollment when the subject is supplied in
> the request, as the template tells you.
>
> --
> Paul Adare
> http://www.identit.ca
> Bubble memory: A derogatory term, usually referring to a person's
> intelligence. See also "vacuum tube."
>

Posted by Paul Adare on May 22, 2008, 1:45 am
If you were  Registered and logged in, you could reply and use other advanced thread options
On Wed, 21 May 2008 22:34:00 -0700, DJH wrote:

> we've only just picked this up in our test lab as certs have started to
> expire, so we have a few weeks to find a workaround for production!

One solution would be to run a scheduled task on your web servers that
checks the certificate for expiration and then either fires off an email
notification to those responsible to performing the renwal, or, if you want
to get really fancy you could also script the renewal. Here's an example
script to get you started and to show you the types of things you can do
with CAPICOM:

'**************************************************
'* CertExpiryCheck.vbs
'* Enumerate certificates with day left for expiry
'**************************************************

Option Explicit
Dim SubjectName
If WScript.Arguments.Count > 0 Then
SubjectName = LCase(WScript.Arguments(0))
Else
CommandUsage
End If

Dim Store, Certificates, Certificate
Const CAPICOM_LOCAL_MACHINE_STORE = 1
Const CAPICOM_CERTIFICATE_FIND_SUBJECT_NAME = 1
Const CAPICOM_STORE_OPEN_READ_ONLY = 0

Set Store = CreateObject("CAPICOM.Store")
Store.Open CAPICOM_LOCAL_MACHINE_STORE, "MY" ,CAPICOM_STORE_OPEN_READ_ONLY
Set Certificates =
Store.Certificates.Find(CAPICOM_CERTIFICATE_FIND_SUBJECT_NAME, SubjectName,
0)

If Certificates.Count >0 Then
For Each Certificate in Certificates
'Certificate.display() 'If you want to see the Cert in UI
WScript.Echo "*** Subject " & Certificate.SubjectName & " ***"
WScript.Echo "Issued by " & Certificate.IssuerName
WScript.Echo "Valid from " & Certificate.ValidFromDate & " to " &
Certificate.ValidToDate
WScript.Echo "Days to expiry " &
DateDiff("d",now(),Certificate.ValidToDate)
WScript.Echo
Next
Else
WScript.Echo "No certificates with SubjectName => '" & SubjectName & "'"
End If

Set Certificates = Nothing
Set Store = Nothing

Sub CommandUsage
MsgBox "Usage: CertExpiryCheck.vbs [SubjectName] ",
vbInformation,"CertExpiryCheck"
WScript.Quit(1)
End Sub
--
Paul Adare
http://www.identit.ca
To err is human; to really foul things up requires a computer.

Posted by =?Utf-8?B?REpI?= on May 22, 2008, 2:07 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Champion.. thank you,

we have some scripting guys who can hopefully rustle something up. Perhaps
we can work out a way for this script to run against members of a group, the
same group which allows enrollment of the certificate.

cheers for your help - its appreciated!



"Paul Adare" wrote:

> On Wed, 21 May 2008 22:34:00 -0700, DJH wrote:
>
> > we've only just picked this up in our test lab as certs have started to
> > expire, so we have a few weeks to find a workaround for production!
>
> One solution would be to run a scheduled task on your web servers that
> checks the certificate for expiration and then either fires off an email
> notification to those responsible to performing the renwal, or, if you want
> to get really fancy you could also script the renewal. Here's an example
> script to get you started and to show you the types of things you can do
> with CAPICOM:
>
> '**************************************************
> '* CertExpiryCheck.vbs
> '* Enumerate certificates with day left for expiry
> '**************************************************
>
> Option Explicit
> Dim SubjectName
> If WScript.Arguments.Count > 0 Then
> SubjectName = LCase(WScript.Arguments(0))
> Else
> CommandUsage
> End If
>
> Dim Store, Certificates, Certificate
> Const CAPICOM_LOCAL_MACHINE_STORE = 1
> Const CAPICOM_CERTIFICATE_FIND_SUBJECT_NAME = 1
> Const CAPICOM_STORE_OPEN_READ_ONLY = 0
>
> Set Store = CreateObject("CAPICOM.Store")
> Store.Open CAPICOM_LOCAL_MACHINE_STORE, "MY" ,CAPICOM_STORE_OPEN_READ_ONLY
> Set Certificates =
> Store.Certificates.Find(CAPICOM_CERTIFICATE_FIND_SUBJECT_NAME, SubjectName,
> 0)
>
> If Certificates.Count >0 Then
> For Each Certificate in Certificates
> 'Certificate.display() 'If you want to see the Cert in UI
> WScript.Echo "*** Subject " & Certificate.SubjectName & " ***"
> WScript.Echo "Issued by " & Certificate.IssuerName
> WScript.Echo "Valid from " & Certificate.ValidFromDate & " to " &
> Certificate.ValidToDate
> WScript.Echo "Days to expiry " &
> DateDiff("d",now(),Certificate.ValidToDate)
> WScript.Echo
> Next
> Else
> WScript.Echo "No certificates with SubjectName => '" & SubjectName & "'"
> End If
>
> Set Certificates = Nothing
> Set Store = Nothing
>
> Sub CommandUsage
> MsgBox "Usage: CertExpiryCheck.vbs [SubjectName] ",
> vbInformation,"CertExpiryCheck"
> WScript.Quit(1)
> End Sub
> --
> Paul Adare
> http://www.identit.ca
> To err is human; to really foul things up requires a computer.
>

Similar ThreadsPosted
PKI User Certificate on Smart Card auto renewal ? August 29, 2007, 11:22 am
PKI Question - User Certificate Renewal February 21, 2008, 4:56 pm
Certificate enroll with Windows Server 2003? December 12, 2005, 9:46 pm
Certificate enroll with Windows Server 2003? December 12, 2005, 10:36 pm
Enrollment agent cannot enroll on behalf of a user... July 10, 2006, 4:38 pm
S/MIME Certificate renewal in W2K3 - EX2K3 infrastructure October 6, 2008, 2:13 am
Renewal request for public cert on a Win2003 server w/o IIS installed September 7, 2006, 5:20 pm
auto complete February 6, 2006, 7:25 am
how to avoid auto sign in August 22, 2005, 12:31 pm
auto update baloon January 1, 2006, 7:11 pm

The site map in XML format XML site map

Contact Us | Privacy Policy