question

VenkataChaitanyaRajuKonduru-4501 avatar image
0 Votes"
VenkataChaitanyaRajuKonduru-4501 asked DaisyZhou-MSFT answered

SSL Thumbprint for the Certificate Enrollment Web service

Hi,

We have come across the commands from the below Microsoft article

https://docs.microsoft.com/en-us/powershell/module/adcsdeployment/install-adcsenrollmentwebservice?view=windowsserver2019-ps

Install-AdcsEnrollmentWebService -ApplicationPoolIdentity -CAConfig "CA1.contoso.com\contoso-CA1-CA" -SSLCertThumbprint "Thumbprint001" -AuthenticationType Certificate

-SSLCertThumbprint
Specifies the hash or thumbprint of the Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate for a web site as a string value. This parameter is optional. If used, it establishes the necessary binding with Internet Information Server (IIS) to enable support for the required SSL/TLS connectivity. If a binding already exists within IIS, specifying this parameter overwrites the existing binding. If this parameter is not specified, any existing binding is used. If no bindings exist, installation succeeds, but the service will not function until the binding is established manually.


1) Is this the thumbprint of the certificate that's present on the IIS which will be used to secure the connections of the Certificate Enrollment Web service. If yes then what happens to the service when the certificate gets renewed next year? or

2) Is this the thumbprint of the certificate of the CA which will take care of the CES service requests?

windows-server-security
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@FanFan-MSFT @Crypt32 Could you please help me on this?


Regards,
Chaitanya.

0 Votes 0 ·
Crypt32 avatar image
1 Vote"
Crypt32 answered Crypt32 commented

Cmdlet parameter documentation explains what thumbprint is expected. It is TLS certificate thumbprint, not CA certificate.

If yes then what happens to the service when the certificate gets renewed next year?

you will have to manually update bindings in IIS, or use automatic rebinding: https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-85/certificate-rebind-in-iis85

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @Crypt32,

Thank you for your input. So it means the SSL thumbprint is not mandatory to be supplied in the command right. Once the service is installed, I can manually go to IIS bindings and tag the certificate.

Regards,
Chaitanya.

0 Votes 0 ·
Crypt32 avatar image Crypt32 VenkataChaitanyaRajuKonduru-4501 ·

If you do not specify SSL certificate thumbprint, then you have to manually configure SSL binding in IIS.

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @VenkataChaitanyaRajuKonduru-4501,

Thank you for posting here.

I think the answer from Crypt32 is very helpful.

Hope the answer provided by Crypt32 is also helpful to you.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.