question

AemilianusKehler-4003 avatar image
0 Votes"
AemilianusKehler-4003 asked AemilianusKehler-4003 edited

Auto Cert Renewal Simply deletes old certicates

Last year I had taken some steps to implement Automatic Certificate renewals. Which included the following, creating a new certificate template (copy of Web Server) however with Schema Version 4 and Version 100.7. The Subject name tab has the checkbox enabled for "Supply in request" to fill in the (what I assume will be common name and the SAN).

Ok so far so good. However I had some left the cert to expire within 1 year, and I guess I forgot to follow up on the ticket I had created, and I also forgot to set sensors on the service, and there was a service interruption. When I went to go check on the service, it was quickly discovered that the certificate had expired, checking IIS showed no certificate bound to the SSL/HTTPS listener, checking the machine certificate store showed the certificate had been deleted.

I found this link personal-certificates-disappears-exchange-efs where Wendy provided an action plan. I validated the registry was set to 0x000000007. The Machine is able to request a certificate without issue when I issue them manually. Then something fails, I don't know what yet it still deletes the certificate. What can I do to get auto enrollment to work? Are there any log locations? I noticed my task scheduler folder as mentioned by Wendy in the second link only had 3 items, where my server shows 6 items? Server is 2016.


windows-server-security
· 9
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AemilianusKehler-4003 avatar image AemilianusKehler-4003 ·

I see there's been no comments yet. I did some further research and I discovered the old certificate was not in fact delete but rather it was simply archived.
With this new info I have a couple other questions. Since when I checked IIS it stated there was no cert bound to the SSL listener for the site.
1) Does IIS not support using archived certs? (It would appear it does not and simply removes the cert from the listener, the site will still use the old one (in memory?) Till the site is restarted and it fails? I haven't tested this.)
2) When I got on the server and attempted to click on the computer object in the cert MMC snap-in, and from the context menu I choose "All Tasks -? Automatically Enroll and retrieve Certificates". I then get the Error "Certificate Types are not available" I found this link, but it leads to a dead end, everything I've checked as well, why can't this wizard detect the certificate template that I can see when I manually request a new certificate?


0 Votes 0 ·
AemilianusKehler-4003 avatar image AemilianusKehler-4003 ·

Anyone? Hints? Suggestions?

0 Votes 0 ·
ryanchill avatar image ryanchill AemilianusKehler-4003 ·

Hi @AemilianusKehler-4003,

Apologies that you haven't been getting any traction on this. Correct me if I'm wrong but you're implementing auto cert renewal for a Windows Server 2016 machine; is this an on-prem server or a cloud VM?

0 Votes 0 ·
AemilianusKehler-4003 avatar image AemilianusKehler-4003 ryanchill ·

Everything's on prem.

0 Votes 0 ·
Show more comments
AemilianusKehler-4003 avatar image AemilianusKehler-4003 ·

Sooooooo... Anyone? any help at all?

0 Votes 0 ·

1 Answer

AemilianusKehler-4003 avatar image
0 Votes"
AemilianusKehler-4003 answered AemilianusKehler-4003 edited

Is anyone here actually willing to help people, or?

Like seriously what gives here? I still have this problem and have got zero help...

Update checking the Computer cert store it appears there is a new auto generated certificate, one thing however is that certificate is used by a IIS website and when I check that sites binding it doesn't appear to have the new cert bound. Checking the service shows the old cert is still being served, and I presume much like last time if nothing is done it will eventually fail either when the expiry date passes or if the instance is stopped and restarted (like from reboot) as there is no cert defined in the IIS web bindings.

Now the only issue seems to be rebinding the certificate to the IIS website it is bound to. Any idea how this is handled?

https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-85/certificate-rebind-in-iis85

Just read this and I clicked the option "Enable Automatic Rebind of Renewed Certificates. Hopefully this completes the task and everything will work automatically from here on in.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.