ADCS WebServer Autoenrollment best practise

Question

As in any IT environment, the number of web server certificates is constantly increasing. With the reduction of the duration to 1 year, the administration effort increases at the same time if such processes are not automated. Currently we have a simple PKI based on MS ADCS.

I have never delegated the issuance of web server (mostly Windows Server with IIS,Apache,Tomcat...) certificates to the web servers because I cannot control which domain is specified in the web server request with Microsoft on-board resources. Even if you can still limit the exhibition to certain groups.

Here is a technical example

I would be interested to know how this is with others and whether others are also increasingly coming to the point as described here. From a CA point of view, I would rather have a lifecycle that can control which server requests which web server certificate. From a pure admin and cost point of view it is tempting to just release the template for all.

Answer 1

You should configure your template to re-enrol automatically, once the initial approval has been given by the CA Manager role:

On your template, you should set the initial Issuance Requirements to CA certificate manager approval as you already have.

Next, set the template's Issuance Requirement to permit reenrollment using Valid existing certificate, and set the Subject Name to Use subject information from existing certificates for autoenrollment renewal requests.

Make sure your group policies are set: Certificate Service Client - Auto-Enrollment Settings to enable Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked certificates and Update and manage certificates that use certificate templates from Active Directory.

You will now be expected to approve the initial issuance, but the client and CA will renew automatically. You'll still need to configure the binding on IIS.

You may need to check that your Certificate Policy permits this. Some may place restrictions on the number of automatic re-enrollments.

Note that the one year or so limit is for public CAs only, so your internal CAs can do what they want in terms of validity period, subject to the controls in your Certificate Policy of course.