0

I am trying to configure Key Based renewal using WES to support autorenwal of certificates in workgroup computers and untrusted domains.

I have configured CEP (Certificate Authenticatoin, Key Based Renewal) and CES (Certificate Authenticatoin, Key Based Renewal, Read Only Mode).

The client is a server joined to a non trusted domain. I succeed in setting up the CEP throgh GPO. And I am able to renew a certificate manualy throgh MMC.

However the certificate dosn't gets renewed automaticly. I do get eventid 1003 - that the certificate is about to expire. And autoenrolment is enabled throgh GPO. And if i try to manualy renewing - it works.

Any ideas?

CryptoDan
  • 85
  • 7
  • Is autoenrollment enabled and configured in GPO? Does client has autoenroll permissions on target template? – Crypt32 Mar 02 '21 at 16:20
  • Yes, autoenrollment is enabled via GPO. – CryptoDan Mar 02 '21 at 20:02
  • Autoenrollment is enabled via GPO. About client permissions - What client should I give permission too? the client doing the autorenew is not in the CAs domain. That's why I build the key based renewal WES. I did try giving the user running the CES application pool autoenroll permissions - but that didnt help. Looking at the CEP XML located in - C:\ProgramData\Microsoft\Windows\X509Enrollment - I see that the folowing is configured for my template: - true false – CryptoDan Mar 02 '21 at 20:21

1 Answers1

1

Based on your comments, the behavior you face is expected. Client doesn't have Autoenroll permissions on certificate template in foreign forest.

Since you can enroll and renew certificates manually, you can go to CA server (or ask PKI admin to do this) and look for identity used to authenticate your request (Requester Name column). This user account must be granted Autoenroll permissions or add to a global or universal group that has appropriate permissions on that template. Then delete local policy cache and run certutil -pulse to trigger autoenrollment and attempt to renew the certificate.

Note that if there is more fresh certificate based on same template, autoenrollment won't renew it until 80% of certificate lifetime is passed or template major revision is updated.

Crypt32
  • 6,639
  • 1
  • 15
  • 33
  • Becouse I set up the WES for key based renewal - the requester name is the user I configured in the WES applcation pool. I tried granting the autoenroll permissions to the application pool user - but the XML still shows autoenroll=false. BUT I dont anderstand how the CEP decides what permissions to write in the XML (in a key based renewal setting). beacuse there is no enrollment. only renewing. – CryptoDan Mar 03 '21 at 09:47