Auto Cert Renewal Simply deletes old certicates

Aemilianus Kehler 101 Reputation points
2022-01-25T15:06:39.357+00:00

Last year I had taken some steps to implement Automatic Certificate renewals. Which included the following, creating a new certificate template (copy of Web Server) however with Schema Version 4 and Version 100.7. The Subject name tab has the checkbox enabled for "Supply in request" to fill in the (what I assume will be common name and the SAN).

Ok so far so good. However I had some left the cert to expire within 1 year, and I guess I forgot to follow up on the ticket I had created, and I also forgot to set sensors on the service, and there was a service interruption. When I went to go check on the service, it was quickly discovered that the certificate had expired, checking IIS showed no certificate bound to the SSL/HTTPS listener, checking the machine certificate store showed the certificate had been deleted.

I found this link personal-certificates-disappears-exchange-efs where Wendy provided an action plan. I validated the registry was set to 0x000000007. The Machine is able to request a certificate without issue when I issue them manually. Then something fails, I don't know what yet it still deletes the certificate. What can I do to get auto enrollment to work? Are there any log locations? I noticed my task scheduler folder as mentioned by Wendy in the second link only had 3 items, where my server shows 6 items? Server is 2016.

Windows for business | Windows Server | Devices and deployment | Configure application groups
{count} votes

1 answer

Sort by: Most helpful
  1. Aemilianus Kehler 101 Reputation points
    2022-06-13T14:10:23.95+00:00

    Is anyone here actually willing to help people, or?

    Like seriously what gives here? I still have this problem and have got zero help...

    Update checking the Computer cert store it appears there is a new auto generated certificate, one thing however is that certificate is used by a IIS website and when I check that sites binding it doesn't appear to have the new cert bound. Checking the service shows the old cert is still being served, and I presume much like last time if nothing is done it will eventually fail either when the expiry date passes or if the instance is stopped and restarted (like from reboot) as there is no cert defined in the IIS web bindings.

    Now the only issue seems to be rebinding the certificate to the IIS website it is bound to. Any idea how this is handled?

    https://learn.microsoft.com/en-us/iis/get-started/whats-new-in-iis-85/certificate-rebind-in-iis85

    Just read this and I clicked the option "Enable Automatic Rebind of Renewed Certificates. Hopefully this completes the task and everything will work automatically from here on in.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.