Share via

Automatism for Windows Certificate Authority (certrollout, renew)

ErazerMe 46 Reputation points
2021-06-22T12:19:24.683+00:00

Hello all,
according the certificate lifetime of one year for TLS-certificates, we have a lot of tasks for request/renew certificates for all types of webservices (IIS, tomcat, apache,..).
We are using an internal Windows PKI for all certificate topics (internal sites).
I checked already a few websites for any solution, but couldn't find any match.

So may you can support me with the following topic:
Is there any possibility to automatism the certificate request/renewal process with a Windows CA?
Currently, before a certificate will reach the expiration date, the application responsible will create a new certificate request, push it to us via E-mail and our PKI-Admin is creating the certificate, send it back and the app responsible will implement the new certificate.

It is our goal to automatism this process - does there exist any functionality to automatism the request or at least the renewal process of certificates? I know, publishing certs to Windows Clients is possible with "autoenrollment". But the main webservers are tomcat and apache. We want to reduce the effort for cert-management for trusted services/servers. May if possible, the inital request has to be done manually, all ongoing tasks can be done automatically in the background (renewing all one year).
I would be very grateful if someone here has a suggested solution and would share that information.

Wish you a nice day

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | User experience | Other

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2021-06-23T02:27:25.473+00:00

    Hello @Andy ,

    Thank you for posting here.

    Q: Is there any possibility to automatism the certificate request/renewal process with a Windows CA?
    A: Auto-enrollment (auto-request) and auto-renewal of certificates are for certificate template.

    For certificate auto-enrollment:

    Group policy must be set to allow clients to auto-enroll and the types of auto-enrollment allowed. Next, that policy must be pushed out to all of the clients in the domain. Lastly, the certificate authority registered to that domain must have the templates issued for the certificates to be auto-enrolled. These include machine/computer, domain controller, and user certificates.

    Here is autoenroll permission on certificate template.

    108318-aut1.png

    Set Up Automatic Certificate Enrollment (Autoenroll)
    https://www.vkernel.ro/blog/set-up-automatic-certificate-enrollment-autoenroll

    For certificate renewal:

    Renewal. This is the most misunderstood part of the auto-enroll process. Every certificate issued has a renewal period as part of the template. This does not necessarily mean that the certificate will renew at the exact beginning of that period. For renewal of auto-enrolled certificates, two time frames exist before the action is taken.
    First the certificate has to have completed 80% of its validity period and be within the renewal period. So as an example, a certificate that is valid for 1 year reaches the 80% mark at around 41.5 weeks and if the cert has a 6 week renewal period, then the renewal would happen at the 46 week period. SO this would happen during the renewal period.
    If the validity period is 6 months, the 80% mark would be week 21, but the renewal period would begin week 20.

    Here is renewal period and validity period on certificate template.
    108368-aut2.png

    Tips for Certificate Auto-Enrollment Issuance
    https://blog.keyfactor.com/certificate-auto-enrollment-issuance

    Because we mainly provide support for Windows, not sure how you perform the initial request certificate for tomcat and apache.

    Hope the information above is also helpful.

    Should you have any question or concern, please feel free to let us know.

    Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

  2. Anonymous
    2021-06-24T06:05:10.427+00:00

    Hello @Andy ,

    I am so glad to receive your reply.

    Based on "We create manually a cert-request (mostly via Openssl) and then input the cert-request manually to the CA (website: certsrv) - afterwards I provide the certificate back to the tomcat", so you did not specify any certificate template during the cert-request, is it right? If so, according to my knowledge and experience, I think we cannot automate such a process.

    I know for Windows CA certificate autoenrollment, if it meets the following requirements, then we can make certificate auto-enrollment and certificate renewal automate.

    Group policy must be set to allow clients to auto-enroll and the types of auto-enrollment allowed. Next, that policy must be pushed out to all of the clients in the domain. Lastly, the certificate authority registered to that domain must have the templates issued for the certificates to be auto-enrolled.

    If someone knows any managementtool (maybe also thirdparty) to automate such a process, we warmly welcome them to provide any helpful information here.

    Thank you for your understanding and support.

    Hope the information above is also helpful.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.