SSL Thumbprint for the Certificate Enrollment Web service

Venkata Chaitanya Raju Konduru 21 Reputation points
2021-06-15T11:31:45.5+00:00

Hi,

We have come across the commands from the below Microsoft article

https://learn.microsoft.com/en-us/powershell/module/adcsdeployment/install-adcsenrollmentwebservice?view=windowsserver2019-ps

Install-AdcsEnrollmentWebService -ApplicationPoolIdentity -CAConfig "CA1.contoso.com\contoso-CA1-CA" -SSLCertThumbprint "Thumbprint001" -AuthenticationType Certificate

-SSLCertThumbprint
Specifies the hash or thumbprint of the Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate for a web site as a string value. This parameter is optional. If used, it establishes the necessary binding with Internet Information Server (IIS) to enable support for the required SSL/TLS connectivity. If a binding already exists within IIS, specifying this parameter overwrites the existing binding. If this parameter is not specified, any existing binding is used. If no bindings exist, installation succeeds, but the service will not function until the binding is established manually.

1) Is this the thumbprint of the certificate that's present on the IIS which will be used to secure the connections of the Certificate Enrollment Web service. If yes then what happens to the service when the certificate gets renewed next year? or

2) Is this the thumbprint of the certificate of the CA which will take care of the CES service requests?

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,807 questions
{count} votes

Accepted answer
  1. Vadims Podāns 9,121 Reputation points MVP
    2021-06-15T13:58:33.957+00:00

    Cmdlet parameter documentation explains what thumbprint is expected. It is TLS certificate thumbprint, not CA certificate.

    If yes then what happens to the service when the certificate gets renewed next year?

    you will have to manually update bindings in IIS, or use automatic rebinding: https://learn.microsoft.com/en-us/iis/get-started/whats-new-in-iis-85/certificate-rebind-in-iis85

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Daisy Zhou 22,476 Reputation points Microsoft Vendor
    2021-06-16T02:47:58.923+00:00

    Hello @Venkata Chaitanya Raju Konduru ,

    Thank you for posting here.

    I think the answer from Crypt32 is very helpful.

    Hope the answer provided by Crypt32 is also helpful to you.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.