question

stefanMinehan-1348 avatar image
0 Votes"
stefanMinehan-1348 asked cthivierge answered

Certificare renewal - Template autoenroll permission.

Hi Folks,

This seems like a simple question but i can't seem to find a concrete answer.

With regards to a certificate template with the 'Autoenroll' permission (With Server authentication OID for arguments sake intended for computer objects)

If a valid certificate exists on a server which was built from this template, will it auto-renew with no extra GPO settings in place, or just expire?

Would it then try and enrol another certificate after the expiry date? or would the expired certificate just sit there?

Cheers

windows-serverwindows-server-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

cthivierge avatar image
0 Votes"
cthivierge answered

Yes, for Autoenrollment to be enabled, you need to have several things configured.

  1. A Certificate template with "Server Authentication"

  2. Configure security and enable AutoEnroll for the required computer account (or Domain Computers)

  3. Configure Group Policy and enable the following parameters:
    In Group Policy Management
    124339-cert01.png


And enable the following settings

124394-cert02.png



cert01.png (46.7 KiB)
cert02.png (14.0 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

cthivierge avatar image
1 Vote"
cthivierge answered stefanMinehan-1348 commented

Theorically, the certificate template should have "renewal period" so only when the certificate is within the renewal period, the computer will try to request a new one.

If your computer has already another certificate that has been requested automatically (using autoenrollment), it should not try to request a new one except within the renewal period.

When the certificate is renewed, the old one should be removed automatically from the personal store of the server.

If you have done a manual request of the certificate template (the certificate that has Autoenrollment enabled), the server will not request another certificate from the same template and if i remember, the auto renew should work

hth

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Cthivierge,

Thank you for the response, that's some useful information! :)

As for the first part of my question, are you aware if the GPO settings are required for auto enrollment/renewal to take place?

The settings being those configured by group policy
"Click Public Key Policies. In the details pane, double-click Certificate Services Client - Auto-Enrollment. The Properties dialog box opens. Configure the following items, and then click OK:

In Configuration Model, select Enabled.
Select the Renew expired certificates, update pending certificates, and remove revoked certificates check box.
Select the Update certificates that use certificate templates check box."

https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment

i'll test it in the mean time, but it means waiting 2 days for cert expiry and i'm impaitient when it comes to learning about things haha :)

Cheers

0 Votes 0 ·