How can you trigger certificates to renew when they are still valid? AD CS

Question

Hi,

Not sure if I have found the right tags for this question, no idea. Active Directory Certificate Services.

I have a CA that's issuing certs, all working OK.

There are upcoming changes to Kerberos in November which will mean that the reports of KDC Error 39 we are seeing on domain controllers which change from being a warning to a failed authentication, once the update gets release to enforce this security change to KDC. KB5014754.

I just created a report on the certs that will not have renewed since the initial update went on back in Nov last year and will not have renewed by November this year. As we have multiple 2 year certs we have over 2000 certs that will suddenly fail in November.

Is there a way to either bulk or one by one, get these certs to renew from the Certificate Authority?

I don't really want to go round to machines to manually renew over 2000 certs. Is there a central way to ask clients to renew their certs from the Windows CA?

And yes, I know 2 year certs are not great. If it was my choice they would not be 2 year. But unfortunately that's not my call. Regardless, that's what we have, so just need a smart way to ask the certs that won't renew by 14th Nov 2023 to get on an manually renew. Otherwise come 15th Nov 2023, we will have over 2000 different things failing authentication (we see KDC Error 39s spamming the DC event logs right now).

Any advice on getting these certs renewed in a sensible manner would be greatly appreciated.

Answer 1

Hello,

Thank you for your question and for reaching out with your question today.

To address the upcoming changes to Kerberos and ensure that the certificates are renewed in a sensible manner, you can consider the following approach:

1. Identify the affected certificates: Use the report you created to identify the certificates that will not have renewed by November. This will help you determine which certificates need to be renewed.
2. Send renewal notifications: Notify the certificate owners/users about the upcoming certificate renewal. Provide instructions on how they can renew their certificates from the Windows CA. You can use email or other communication channels to inform them about the importance of renewing their certificates before the deadline.
3. Provide renewal instructions: Clearly communicate the steps and guidelines for certificate renewal. Include information on how users can request certificate renewal from the Windows CA and any specific requirements or procedures they need to follow.
4. Automate certificate renewal: If feasible, explore the possibility of automating the certificate renewal process. You can use tools such as PowerShell scripts or certificate management software to automatically request and renew certificates from the Windows CA. This can help streamline the process and minimise manual efforts.
5. Provide assistance and support: Offer assistance to users who may require help or have questions regarding the certificate renewal process. Set up a support channel or helpdesk to address any issues or concerns raised by users during the renewal process.
6. Monitor and track renewals: Implement a monitoring mechanism to track the progress of certificate renewals. Regularly check the renewal status of certificates and follow up with users who have not yet renewed their certificates as the deadline approaches. This will help ensure that all necessary certificates are renewed before the enforcement of the Kerberos changes.

By following these steps, you can facilitate the renewal of certificates in a centralised and efficient manner, minimising the impact of the upcoming Kerberos changes and avoiding authentication failures caused by expired certificates.

I used AI provided by ChatGPT to formulate part of this response. I have verified that the information is accurate before sharing it with you.

If the reply was helpful, please don’t forget to upvote or accept as answer.

Best regards.