question

EF75 avatar image
0 Votes"
EF75 asked EF75 edited

Certificate authority validation and Custom Template

We have:
- Windows 2016 CA servers .
- Root CA with 5 years valdiation 4/22/2020 4/22/2025
- 2 Sub-ordinate Enterprise CA with the default validation of 2 years
- Certificate #0 4/22/2020 4/22/2022
- Certificate #1 4/28/2020 4/28/2022
- We did create a custom Webserver template with 3 years validation
- We did create a custom workstation template with 2 years validation for RADIUS auth enrolled through auto Enrollment GPO, and hit the Auto Enroll option for the workstations Security group within that template.. we have already enrolled this cert to several workstations.
1- When we issue a webserver certificate using the template, the validation date is till 4/28/2022, even the template is based on 3 years validation! why is that ?
2- We want to modify the existing validation date of Certificate #1, and extend it to 3 years using the same key.. how can we achieve this ? what is the impact on existing enrolled / issued certificates to the workstations since the certificates are used for Radius auth using Aruba Clearpass ?
After extending the period do we need to re-issue or change the values of the custom created CA templates like the workstations and the webservers ? we want avoid that fact the workstations will get two sets of certificates enrolled automatically .
3- Can we remove the Certificate #0 4/22/2020 4/22/2022, since we don't use it ? how we can do this ? any impact ?
Running the below commands on the Root CA server
certutil -getreg ca\ValidityPeriod
(This returns the current value of 2)
certutil -getreg ca\ValidityPeriodUnits
(This returns the current value of Years)
Example is that before the above change, we created a custom template with a validity date of 2 years and issued some certificates (those had a 2 year expiration).
If we change this template from 2 to 3 for validity period, does this cause already issued certificates from this template to stop working or do they continue to work and any newly issued certificate would get the new validity period?
Thanks for finding the time to answer our questions.

windows-server-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered

Hi,
1, The lifetime of a certificate can't exceed the lifetime of the issue CA.
Even the template is set for 3 years, the maximum lifetime for it will be 2 years.

2, If you want to modify existing validation date of Certificate #1, and extend it to 3 years
We need to modify the ValidityPeriod of the Root CA TO 3 since the certificate of sub ca was issued by the Root CA.
Then renew the certificates of the SUBCA with the existing key.

Then you can change the validity period of the certificate template to three years and the newly issued/renewed certificates will be longer than before.
There will no impact on the existing enrolled/issued certificates.

3, It is not suggested to remove the certificates that not expired manually. Just leave it there.

4, If we change this template from 2 to 3 for validity period, does this cause already issued certificates from this template to stop working or do they continue to work and any newly issued certificate would get the new validity period?
No, as mentioned, this will not cause the already issued certificates from this template to stop working.
If you change the ValidityPeriodUnits to three on the Root CA, then when you renew the certificate for the sub-CA, the Validity Period will be 3 years.

Best Regards,


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

EF75 avatar image
0 Votes"
EF75 answered

Hi,
1, The lifetime of a certificate can't exceed the lifetime of the issue CA.
Even the template is set for 3 years, the maximum lifetime for it will be 2 years.
Thanks!

2, If you want to modify existing validation date of Certificate #1, and extend it to 3 years
We need to modify the ValidityPeriod of the Root CA TO 3 since the certificate of sub ca was issued by the Root CA.
Then renew the certificates of the SUBCA with the existing key.
Can you please tell us in details how to do that ?


Then you can change the validity period of the certificate template to three years and the newly issued/renewed certificates will be longer than before.
There will no impact on the existing enrolled/issued certificates.

3, It is not suggested to remove the certificates that not expired manually. Just leave it there.
Thanks !

4, If we change this template from 2 to 3 for validity period, does this cause already issued certificates from this template to stop working or do they continue to work and any newly issued certificate would get the new validity period?
No, as mentioned, this will not cause the already issued certificates from this template to stop working.
If you change the ValidityPeriodUnits to three on the Root CA, then when you renew the certificate for the sub-CA, the Validity Period will be 3 years.

Just another question, what will happen when the already issued certificates ( 2 years validation) will be approaching the expiration date and needs to be renewed automatically using the Auto enrolment client certificate GPO, does the old cert will be revoked automatically and removed from the personal computer certificate store and a new one ( 3 years validation ) will be created in the certificate store of the workstation ?
I can share the configuration of the root Ca and Sub including the GPO if that would help and to make sure that we are doing things correctly.
Thanks !









5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered FanFan-MSFT commented

Hi,
For your questions:
2, We need to modify the ValidityPeriod of the Root CA TO 3
To configure this, run the following commands from an administrative command prompt:
Certutil -setreg CA\ValidityPeriodUnits 3
Certutil -setreg CA\ValidityPeriod "Years"
Steps to renew the issue CA certificate, you can refer to the following link:
https://www.risual.com/2014/05/renew-issuingsubordinate-ca-certificate/

4, Just another question, what will happen when the already issued certificates (2 years validation) will be approaching the expiration date and needs to be renewed automatically using the Auto enrolment client certificate GPO, does the old cert will be revoked automatically and removed from the personal computer certificate store and a new one ( 3 years validation ) will be created in the certificate store of the workstation?

If certificate renewal for existing certificate occurred and resulted in an issued certificate, autoenrollment performs existing certificate cleanup in local storage. Cleanup will either, mark existing certificate as “archived” or delete it. Cleanup action is configured in the certificate template’s Request Handling tab. The following image illustrates cleanup setting:
100903-5311.jpg

This response contains a third-party link. We provide this link for easy reference. Microsoft cannot guarantee the validity of any information and content in this link.


5311.jpg (63.2 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
I am checking to see if the problem has been resolved.
If there's anything you'd like to know, don't hesitate to ask.

Best Regards,

0 Votes 0 ·

If there are any updates, welcome to share here!

Best Regards,

0 Votes 0 ·
EF75 avatar image
0 Votes"
EF75 answered

Hi FanFan, I will modify the settings and get back to you. will let you know, juist other questions about CERT auto enrollment and revoke. - The option to delete the certificate is grayed out ![102517-screenshot-2021-06-04-at-092335.png][1] - These are the options we choose to auto enrol workstation certificate on the clients, not sure if they are okay : 1- Do we need to publish the certs to active directory to get the auth renewal working ? ![102497-screenshot-2021-06-04-at-093413.png][2] 2- Radius workstations have Auto enroll rights: ![102498-screenshot-2021-06-04-at-093700.png][3] 3- options are grayed out. ![102596-screenshot-2021-06-04-at-203156.png][4] 4- do we need to have the CDP and AIA configured to get the auto renewal working properly ??![102583-screenshot-2021-06-04-at-203517.png][5] ![102509-screenshot-2021-06-04-at-203730.png][6] 5- GPO auto enroll for workstations ![102621-screenshot-2021-06-04-at-204516.png][7] Are we missing somthing to get the auto enroll and revoke working without problems ? [1]: /answers/storage/attachments/102517-screenshot-2021-06-04-at-092335.png [2]: /answers/storage/attachments/102497-screenshot-2021-06-04-at-093413.png [3]: /answers/storage/attachments/102498-screenshot-2021-06-04-at-093700.png [4]: /answers/storage/attachments/102596-screenshot-2021-06-04-at-203156.png [5]: /answers/storage/attachments/102583-screenshot-2021-06-04-at-203517.png [6]: /answers/storage/attachments/102509-screenshot-2021-06-04-at-203730.png [7]: /answers/storage/attachments/102621-screenshot-2021-06-04-at-204516.png

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

EF75 avatar image
0 Votes"
EF75 answered FanFan-MSFT commented

Hi There, Anyone can judge if the setup above will work and the certs will get renewed and the old one will be removed and revoked automatically? any hints and remarks are more than welcome.
Beste Regards,
E

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
Based on my understanding, the auto-enroll will enroll and renew the certs automatically.
But can't remove the expired certs.
Following information for your reference:
https://sysadmins.lv/retired-msft-blogs/xdot509/operating-a-windows-pki-removing-expired-certificates-from-the-ca-database.aspx
This response contains a third-party link. We provide this link for easy reference. Microsoft cannot guarantee the validity of any information and content in this link.

Best Regards,

0 Votes 0 ·
EF75 avatar image
0 Votes"
EF75 answered EF75 edited

Hi FanFan,
Just getting back to your answer and the question I had.
Regarding this the question below :
1- Do we need to publish the certs to active directory to get the auth renewal working ?
The answer is NO I presume ? And what will happen when I activate this option ? In which occasions would I go for this option ?
4- Do we need to have the CDP and AIA configured to get the auto renewal working properly ??
The defaults are fine ? when do i need to change these values in which occasions ?
5- GPO auto enroll for workstations
Does this mean that the CERTIFICATES will be removed automatically from the personal certificate on the WORKSTATIONS Only? and the expired or revoked certificates will remain in the DB of the Sub-Ordinate CA server ( the issuer ) ? Thats why we need to remove them manually from the DB following your link ?
Is this by design? any other options available to automatically " clean up " the Certificate DB without going through the manual process ?
6- By the way, I did change the Purpose in the template to signature only and now I can choose and select the option : Delete revoked or Expired Certificate ...... within the template..

Thanks again !

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

EF75 avatar image
0 Votes"
EF75 answered

Hi FanFan,
Any response on the up mentioned questions and remarks?
Thanks

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered

Hi,
For your questions:
1- Do we need to publish the certs to active directory to get the auth renewal working?
You mean the cert for the CA servers, right?
For the offline ca: yes, you have to publish it to AD
For the enterprise CA: we don't need to do this. The certs will publish in AD automatically.

4- Do we need to have the CDP and AIA configured to get the auto renewal working properly?
No.
A, If you want to the clients and users to enroll and renew cert automatically, you just need to configure the group policy.
https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment
B, At the same time give the users or computers the read, enroll and auto- enroll permissions on the templates.

5- GPO auto enroll for workstations
Does this mean that the CERTIFICATES will be removed automatically from the personal certificate on the WORKSTATIONS Only? and the expired or revoked certificates will remain in the DB of the Sub-Ordinate CA server ( the issuer) ? Thats why we need to remove them manually from the DB following your link?
Is this by design? any other options available to automatically " clean up " the Certificate DB without going through the manual process?
We need to clean up the expired certs manually.
Operating a Windows PKI: Removing Expired Certificates from the CA Database
https://docs.microsoft.com/en-us/archive/blogs/xdot509/operating-a-windows-pki-removing-expired-certificates-from-the-ca-database

6- By the way, I did change the Purpose in the template to signature only and now I can choose and select the option: Delete revoked or Expired Certificate ...... within the template.
For this part, i tried to do this also. But it is not suggested to change the default value.

About the expired certs removing, I'm trying to do more research, if there are any latest information, i will update here!

Best Regards,

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

EF75 avatar image
0 Votes"
EF75 answered EF75 edited

HI FanFan,
Thanks for the answers, just to be sure ..
1- Do we need to publish the certs to active directory to get the auth renewal working?
You mean the cert for the CA servers, right?
I was referring to the certificate Template regarding Workstation template we do auto enrol to the workstations through GPO as mentioned above in the screenshots.
For the offline ca: yes, you have to publish it to AD
What do you mean with Offline CA?
we do have Root CA running sever1 with 5 years validation 4/22/2020 4/22/2025
and Subordinate server running in server2 with two certs :
- Certificate #0 4/22/2020 4/22/2022
- Certificate #1 4/28/2020 4/28/2022
Where should i check the option publish in active directory ... or these is no need to do this in my case?

For the enterprise CA: we don't need to do this. The certs will publish in AD automatically.

5- GPO auto enroll for workstations
Does this mean that the CERTIFICATES will be removed automatically from the personal certificate on the WORKSTATIONS Only? and the expired or revoked certificates will remain in the DB of the Sub-Ordinate CA server ( the issuer) ? Thats why we need to remove them manually from the DB following your link?
Thanks for the link of removing the old certs form the DB, but what will happen the the expired computer certs on the workstations? do they get removed automatically once they do get the new certs issued from the CA subordinate server ( issuer ) ?

6- By the way, I did change the Purpose in the template to signature only and now I can choose and select the option: Delete revoked or Expired Certificate ...... within the template.
For this part, i tried to do this also. But it is not suggested to change the default value.

About the expired certs removing, I'm trying to do more research, if there are any latest information, i will update here!

Ok Thanks will be waiting for this

Best Regards

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

EF75 avatar image
0 Votes"
EF75 answered

Hi There,
Anyone can response on the remarks mentioned above?
As well as we are having a strange issue, since we are using Enterprise CA installed on a domain joined Root CA and Sub-ordinate CA servers ( not DC's ) , we are expecting and by design to have the root and intermediate published automatically to the trust root certificate authority and intermediate certificate authority local stores once we add/join the servers to the domain, which is not the case right now, can anyone help on this ? Do we need to apply changes on the rootca server or intermediate ca server to get this done ?
Thanks again !



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.