0

Windows PKI policy has a setting for what I think is automated renewal of AD template issued certificates when they expire.

enter image description here

It must be also enabled on the certificate authority (CA) side. Question - if I copy an AD template based cert from the machine where it was originally generated to another box, will the automatic renewal work on the new box?

This could depend on whether the renewal is initiated by the CA or by the certificate's home machine. In the former case, the CA might not know that the cert was copied and might push it via global policy to the original host.

Seva Alekseyev
  • 197
  • 2
  • 12

1 Answers1

2

All renewals are initiated from the client, not the CA.

To renew, the client sends the renewal request in CMC format. A CMC renewal request requires signing by the original certificate's private key, therefore you would need to ensure that the certificate and private key is on the client - not just the certificate.

You then need to consider the template. If it takes the Subject name from AD, then when the new client renews it may be issued a certificate with a different name to the original, which, depending on what validation checks the CA carries out, may not work.

It would be easier to simply enrol for a new certificate on the other machine.

garethTheRed
  • 4,539
  • 14
  • 22
  • The private key copied along with the cert in my scenario. The template doesn't assign subject AFAIK, it takes one from the request. Do you know what process/task exactly initiates renewal? – Seva Alekseyev Apr 16 '23 at 22:03
  • 1
    On modern Windows, I _think_ it's the scheduled tasks under `Task Scheduler > Microsoft > Windows > CertificateServicesClient`. Namely `SystemTask` and `UserTask`. The renewal is enabled/disabled by the group policy in your question. – garethTheRed Apr 17 '23 at 06:11
  • @SevaAlekseyev: Are you asking *if* the certificate will renew or how to initiate a renewal? Basically it is when it reaches 80% mark of the end date. https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/approval-required-certificate-renewals-autoenrollment https://www.networkoc.net/microsoft-ca-commands-and-cheat-sheet/ – Greg Askew Apr 17 '23 at 10:48
  • I'm asking whether *Windows* will initiate a renewal on a copied (with key) cert on the machine it's been copied to. If not, I can write the task/logic manually, but I'm hoping I won't have to. – Seva Alekseyev Apr 17 '23 at 12:22
  • Windows will initiate it, but whether the certificate template criteria will allow it to be auto-renewed is something else. If you're not familiar with the template, you'll need to look at it to see there are no enrolment criteria that'll block an autorenew, *and* that the server account has the appropriate perms to autoenroll with that template. Check the *Renew manually enrolled certificates* section in Vadims Podans' article on server autenrollment: https://www.sysadmins.lv/blog-en/certificate-autoenrollment-in-windows-server-2016-part-2.aspx – LeeM Apr 20 '23 at 00:06
  • That article also goes into a ton of detail on autoenrollment in general, the location of the default Windows scheduled tasks that run the enrolment checks (which you shouldn't mess with), and how to use `certutil -pulse` to manually trigger an enrolment check. Plus much, much more. – LeeM Apr 20 '23 at 00:10