If you want to issue certificates for internal web servers, RD Web Access, or WSUS via a Windows CA, you can automate this process with the help of Group Policy. This will also prevent services from failing due to expired certificates. Customized templates and a GPO are required for this.

Manual management of certificates can require some effort, especially in larger environments. In addition, there is always the risk that their expiration date is overlooked and services are then temporarily no longer accessible to users. The so-called autoenrollment provides a remedy here.

This procedure works basically the same way for user and computer certificates. With the former, care should be taken to ensure that the automatic issuing does not lead to uncontrolled growth of certificates.

For autoenrollment, the following components and actions are required:

  • Certificate templates must be configured for automatic certificate issuance
  • The relevant templates must be activated
  • A GPO that configures clients to request certificates independently must be set

Furthermore, the clients must be able to connect to the CA.

Creating a certificate template ^

Since we want to issue SSL certificates automatically in our example, it seems obvious to use the existing web server template for this. However, this is still based on schema version 1.0 and is therefore not suitable for automatic enrollment.

Therefore, we create a copy of the Webserver template for our purpose and configure it according to our requirements. To do this, we open the certificate template console certtmpl.msc and execute the Duplicate template command from the context menu of the Webserver.

Create a copy of the template web server

Create a copy of the template web server

The snap-in then shows the Compatibility tab of the new template. Depending on your environment, you can specify the OS versions of the certification authority and the certificate recipients. Newer versions of Windows often include additional options for issuing certificates.

By selecting a newer Windows version additional functions can be added

By selecting a newer Windows version additional functions can be added

Then switch to the General tab and assign a name to the new template. Here, you can also change the validity period. The option Publish certificate in Active Directory remains deactivated for SSL certificates; it is intended for user certificates that are used to encrypt email and the file system.

On the General tab assign the name for the new template

On the General tab assign the name for the new template

The settings under Request Handling can be left as they are in the Webserver template. It is not usually necessary to export the private key, because the certificate is only used on the computer from which it was requested.

The settings under _Request Handling_ can usually be left since they are taken over from the Webserver

The settings under _Request Handling_ can usually be left since they are taken over from the Webserver

On the Subject Name tab, make sure that the requesting computer retrieves its name from Active Directory. The default format is the Common Name, but you can also select either the FQDN or the DNS name. The latter can also be used for the Alternate Subject Name.

Information for Subject Name and Alternate Subject Name

Information for Subject Name and Alternate Subject Name

If you only want to renew existing certificates, then the option Supply in the request comes in handy. If you tick the checkbox for Use subject information from existing certificates for autorenrollment renewal requests, then the Subject Name and Alternate Subject Name are taken from a certificate based on the same template.

Finally, the settings under Security are of particular importance. There, you have to grant the requesting party not only the Permission to Read and Enroll, but also to Autoenroll.

For the automatic enrollment of certificates the requesting computer needs the corresponding permission

For the automatic enrollment of certificates the requesting computer needs the corresponding permission

In the case of SSL certificates, these are computer accounts. They should be included in a security group, which will then be assigned this right.

This completes the configuration of the new template, and you can now save it.

Activating the template ^

To make the newly created template ready for use, you have to activate it for the certification authority. To do so, open certsrv.msc, switch to the Certificate Template section in the navigation pane, and select New > Certificate Template to issue from the context menu.

Activating the new template via certsrv.msc

Activating the new template via certsrv.msc

In the following dialog box, select the newly created template and click OK.

Defining Group Policy ^

Finally, we need a GPO that instructs the computers in question to request certificates automatically. To do this, link a new group policy object to the desired OUs or domains and open it in the GPO editor.

There, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies and edit the setting Certificate Services Client - Auto-Enrollment.

Configuring GPO setting for automatic certificate issuance and renewal

Configuring GPO setting for automatic certificate issuance and renewal

The other options are displayed after you picked a setting under Configuration Model. Here, select both checkboxes and define the remaining validity period from which expiry warnings for a certificate appear. Usually, you can keep the default value of 10 percent.

As soon as the GPO is applied to the target computers (e.g., by executing gpupdate), a scheduled task checks whether a certificate needs to be requested or renewed. The process is triggered when the computer is restarted. Alternatively, you can kick off the process explicitly with:

certutil -pulse
In the snap in for the certification authority you can see whether a certificate was issued automatically

In the snap in for the certification authority you can see whether a certificate was issued automatically

Assigning a certificate to services ^

If a certificate has just been issued or renewed, it must still be assigned to the relevant services. This may have to be done manually.

Subscribe to 4sysops newsletter!

Enabling automatic binding of renewed certificates in IIS Manager

Enabling automatic binding of renewed certificates in IIS Manager

Since version 8.5, IIS has supported automatic Certificate Rebind when the certificate is renewed. The corresponding setting can be found under Server Certificates > Actions and is called Enable Automatic Rebind of Renewed Certificate.

+4
avatar
0 Comments

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account