2

I have an LDAP application which needs to talk to Active Directory via LDAPS (LDAP over SSL). I installed Active Directory Certificate Services on a test Domain Controller (I know this is not best practice, but my customer has no spare Windows Server license for a standalone CA server).

From here I read and followed these instructions:

If you install the AD CS role and specify the Setup Type as Enterprise on a domain controller, all domain controllers in the forest will be configured automatically to accept LDAP over SSL

The issued certificate was indeed loaded into the DC certificate store, and the LDAPS-aware applications is working.

My question is: will the certificate be renewed/re-enrolled automatically, or I need to manually taking care of it? What I need to check to be sure than automatic renew will work correctly?

shodanshok
  • 47,711
  • 7
  • 111
  • 180
  • you will have to manually request and renew certificates. With Enterprise CA you can utilize certificate autoenrollment, to automatically request and renew certs, but certainly not with Standalone CA. – Crypt32 Mar 10 '20 at 13:10
  • @Crypt32 Having selected "Setup Type = Entreprise" I *am* using Enterprise CA, right? – shodanshok Mar 10 '20 at 13:13
  • yes. In your description you said about Standalone CA, so your information is confusing. – Crypt32 Mar 10 '20 at 13:15
  • @Crypt32 thanks, I clarified the question. My customer has **no** intention to use a standalone server/CA. I you care to expand your comment in a full answer, I would gladly accept it. – shodanshok Mar 10 '20 at 13:18
  • see `Update` section in my response. I see, you are seeking for LDAPS, it is much easier. Configure GPO and add built-in `Kerberos Authentication` template to CA. – Crypt32 Mar 10 '20 at 13:38

1 Answers1

3

With ADCS Enterprise CA, you can utilize certificate autoenrollment that can automatically request and renew certificates for users and computers. I wrote a new whitepaper on how it works in details: Certificate Autoenrollment in Windows Server 2016. There is a downloadable copy of the document.

In short, it is done as follows:

  1. Configure autoenrollment policy in GPO as specified in Configuring autoenrollment policy section.
  2. Apply GPO to appropriate container (OU, domain, site).
  3. Find a suitable certificate template you want to deploy. Go to Security tab and grant appropriate groups (users, computers or DCs) the following permissions: Read, Enroll and Autoenroll.
  4. Publish template to CA for issuance.
  5. ????
  6. PROFIT

Last two items imply that you have to wait until GPO is applied to clients.

Note: in order for autoenrollment to succeed, subject name of certificate must be constructed from Active Directory.

Update

In your particular question, you need only to configure autoenrollment GPO and publish Kerberos Authentication template to CA if it is not yet added. This teamplte already have all required permissions.

Community
  • 1
Crypt32
  • 6,639
  • 1
  • 15
  • 33
  • Great answer, and your blog is a monumental work! I would ask some clarifications: a) during ADCS installation and configuration, the domain controller was provided with a certificate from template "Domain Controller". The certificate has 1 year duration, and I did not changed any GPO. As is, 1 year from now the certificate will expire *without* being automatically renewed, right? b) you wrote about "Kerberos Authentication" template, which is enabled but not issued (the only certificate is from template "Domain Controller". How/why the template "Kerberos Authentication" play a role here? – shodanshok Mar 10 '20 at 14:24
  • 1
    `Kerberos Authentication` template is a newer version of older `Domain Contoller` template. Among other thigs (such as LDAPS, smart card logon), it does support autoenrollment and strict KDC. Older template doesn't support any. Newer template is not enrolled, because you didn't apply autoenrollment policy yet. – Crypt32 Mar 10 '20 at 14:31
  • Well, I did some more test chaning the system date of the test domain controller (adding 364 days from today) and it [renewed automatically](https://ibb.co/3fYsFQ9) the issued certificate, albeit using the older "Domain Controller" template and not specifying anything via GPO. What I am missing? – shodanshok Mar 10 '20 at 15:13
  • This is hardcoded functionality that came from Windows 2000 times. You should unpublish old template from CA and use new template with autoenrollment. – Crypt32 Mar 10 '20 at 16:02