2

We are using Active Directory Certificate Services (AD CS) to issue certificates for internal web applications. We can manually request a certificate from the CA and it gets issued without problems. The auto-enrollment group policy is configured according to here.

One of the certificates issued that way is about to expire soon, so I was searching for a way to automatically renew expiring certificates (without any manual steps).

From what I found online, it's required to enable the option "Use subject information from existing certificates for autoenrollment renewal requests", which we subsequently did on the existing Certificate Template this cert is based on. Use subject information from existing certificates for autoenrollment renewal requests

(we also had to change the compatibility settings to Certification Authority: Windows Server 2008 R2 and Certificate recipient: Windows 7 / Server 2008 R2, because the option was greyed out before)

A while after checking that option, the certificate that is about to expire was archived, but no new one was issued.

On a second try today, I un-archived the certificate and added the Autoenroll permission on the template to the appropriate group, but with the same result.

Update: The CA server itself also hosts a IIS web site, because it has the Certification Authority Web Enrollment role service is installed. I now noticed, that the Certificate for that server must have been renewed automatically shortly after enabling said option. That also tells me, that the template can't be the issue, because it worked there.

That's excactly what I want, but unfortunately I can't get it to work on the other server.

Update 2: I'm a fine step forward now. Because it's hard to test with a two year validity perdiod, I duplicated the existing template and changed the validity period to a few hours. And guess what! Certificates issued using the test template are automatically renewed without problems.

I would normally think: Well, this will probably only work for certificates issued after the change was made - but this can't be the case either, because it worked for the web enrollment site.

I can't really test much longer with this certificate, because it's already expiring tomorrow. However, I would still want to know what stops this from working.

If someone can provide a plausible answer to this, I'm still going to reward the bounty to it.

powerzone3000
  • 81
  • 2
  • 8
  • Autoenrollment uses a secondary protocol (SCEP or ??? (there's one or two more)). If your CA server's online enrollment website's cert got updated over autoenrollment (same box), are you sure you don't have something in your security stack (e.g. firewall, HIDS) blocking that new protocol from working in the greater network environment? – thepip3r Oct 16 '19 at 20:05
  • Thanks for the tip, @thepip3r. I talked to my network admin about this, but there are no blocking rules between these to servers. Please also see my second update above! – powerzone3000 Oct 18 '19 at 06:46

1 Answers1

0

There is one possible answer from this Microsoft discussion:

What is the autorenewal procedure for multiple certificates enrolled using the same certificate template?

The relevant quote: "Autoenrollment never was designed to handle multiple certificates based on same template where autoenrollment is configured. Only first instance of certificate is automatically renewed."

Are you seeing a case where one cert attached to a template gets renewed but subsequent certs don't?

Andrew Klaassen
  • 101