Auto Cert Renewal Simply deletes old certicates

Question

Auto Cert Renewal Simply deletes old certicates

Aemilianus Kehler 101

Last year I had taken some steps to implement Automatic Certificate renewals. Which included the following, creating a new certificate template (copy of Web Server) however with Schema Version 4 and Version 100.7. The Subject name tab has the checkbox enabled for "Supply in request" to fill in the (what I assume will be common name and the SAN).

Ok so far so good. However I had some left the cert to expire within 1 year, and I guess I forgot to follow up on the ticket I had created, and I also forgot to set sensors on the service, and there was a service interruption. When I went to go check on the service, it was quickly discovered that the certificate had expired, checking IIS showed no certificate bound to the SSL/HTTPS listener, checking the machine certificate store showed the certificate had been deleted.

I found this link personal-certificates-disappears-exchange-efs where Wendy provided an action plan. I validated the registry was set to 0x000000007. The Machine is able to request a certificate without issue when I issue them manually. Then something fails, I don't know what yet it still deletes the certificate. What can I do to get auto enrollment to work? Are there any log locations? I noticed my task scheduler folder as mentioned by Wendy in the second link only had 3 items, where my server shows 6 items? Server is 2016.

Aemilianus Kehler 101 Reputation points

2022-01-25T21:02:46.853+00:00
I see there's been no comments yet. I did some further research and I discovered the old certificate was not in fact delete but rather it was simply archived.
With this new info I have a couple other questions. Since when I checked IIS it stated there was no cert bound to the SSL listener for the site.

Does IIS not support using archived certs? (It would appear it does not and simply removes the cert from the listener, the site will still use the old one (in memory?) Till the site is restarted and it fails? I haven't tested this.)

When I got on the server and attempted to click on the computer object in the cert MMC snap-in, and from the context menu I choose "All Tasks -? Automatically Enroll and retrieve Certificates". I then get the Error "Certificate Types are not available" I found this link, but it leads to a dead end, everything I've checked as well, why can't this wizard detect the certificate template that I can see when I manually request a new certificate?
Aemilianus Kehler 101 Reputation points

2022-01-26T15:38:37.403+00:00

Anyone? Hints? Suggestions?
Ryan Hill 30,281 Reputation points Microsoft Employee Moderator

2022-01-28T15:38:25.853+00:00

Hi @Aemilianus Kehler ,

Apologies that you haven't been getting any traction on this. Correct me if I'm wrong but you're implementing auto cert renewal for a Windows Server 2016 machine; is this an on-prem server or a cloud VM?
Aemilianus Kehler 101 Reputation points

2022-01-28T22:20:44.82+00:00

Everything's on prem.
Ryan Hill 30,281 Reputation points Microsoft Employee Moderator

2022-01-28T22:49:03.123+00:00

Okay, you've tagged your question with Azure. I've retagged so you can get better eyes on your question. Also check https://techcommunity.microsoft.com/t5/windows-server/ct-p/Windows-Server in case you're not getting any traction.
Aemilianus Kehler 101 Reputation points

2022-01-31T15:44:32.887+00:00

That's cause the UI didn't let me pick the proper category. I'd pick a proper one if I could, I just needed to get the question posted. Thanks so far nothing? not even a hint at where to look for hints?
Ryan Hill 30,281 Reputation points Microsoft Employee Moderator

2022-01-31T18:14:27.223+00:00

I understand your frustration @Aemilianus Kehler and your question was retagged under windows-server-security. I've replaced it with windows-server-2016 today so that you can get better assistance. I did discover this tech community post which appears to have the same goals as you but there wasn't any response. I personally don't have any expertise in this area, @Rita Hu -MSFT would you be able to assist here?
Aemilianus Kehler 101 Reputation points

2022-02-01T17:33:59.323+00:00

Thank you ryanchill for the responses. I checked the reference you shared but that was more for trying to automate a Windows PKI cert into linux, or other vendor applications, which wouldn't be possible without extreme coding or scripting knowledge to pull off.

In my case it's all Microsoft products, MS Windows CA, PKI, MMC snap in Cert manager, Scheduled Tasks, and IIS. It should work but its not working and I can't find any log details to figure out why. Couple more question from further analysis on my part.

1) Under the Scheduled task area Task Scheduler library -> Microsoft -> Windows -> CertificateServicesClient, and clicking the system task, under the history there's a "correlation id" where can one find more details about this. I'm assuming its for a log file?

2) I was able to see there's a dedicated folder under the Event Viewer: Application and Service Logs ->Microsoft -> Windows -> CertificateServicesClient-Lifecycle-System. In which I can find the certificates when they were placed into archive, but I can't see any indication of a new cert requests via auto enrollment.
Aemilianus Kehler 101 Reputation points

2022-02-15T20:23:28.26+00:00

Sooooooo... Anyone? any help at all?

1 answer

Your answer

Aemilianus Kehler 101 Reputation points

2022-01-25T21:02:46.853+00:00

I see there's been no comments yet. I did some further research and I discovered the old certificate was not in fact delete but rather it was simply archived.
With this new info I have a couple other questions. Since when I checked IIS it stated there was no cert bound to the SSL listener for the site.

Does IIS not support using archived certs? (It would appear it does not and simply removes the cert from the listener, the site will still use the old one (in memory?) Till the site is restarted and it fails? I haven't tested this.)

When I got on the server and attempted to click on the computer object in the cert MMC snap-in, and from the context menu I choose "All Tasks -? Automatically Enroll and retrieve Certificates". I then get the Error "Certificate Types are not available" I found this link, but it leads to a dead end, everything I've checked as well, why can't this wizard detect the certificate template that I can see when I manually request a new certificate?
Aemilianus Kehler 101 Reputation points

2022-01-26T15:38:37.403+00:00

Anyone? Hints? Suggestions?
Ryan Hill 30,281 Reputation points Microsoft Employee Moderator

2022-01-28T15:38:25.853+00:00

Hi @Aemilianus Kehler ,

Apologies that you haven't been getting any traction on this. Correct me if I'm wrong but you're implementing auto cert renewal for a Windows Server 2016 machine; is this an on-prem server or a cloud VM?
Aemilianus Kehler 101 Reputation points

2022-01-28T22:20:44.82+00:00

Everything's on prem.
Ryan Hill 30,281 Reputation points Microsoft Employee Moderator

2022-01-28T22:49:03.123+00:00

Okay, you've tagged your question with Azure. I've retagged so you can get better eyes on your question. Also check https://techcommunity.microsoft.com/t5/windows-server/ct-p/Windows-Server in case you're not getting any traction.
Aemilianus Kehler 101 Reputation points

2022-01-31T15:44:32.887+00:00

That's cause the UI didn't let me pick the proper category. I'd pick a proper one if I could, I just needed to get the question posted. Thanks so far nothing? not even a hint at where to look for hints?
Ryan Hill 30,281 Reputation points Microsoft Employee Moderator

2022-01-31T18:14:27.223+00:00

I understand your frustration @Aemilianus Kehler and your question was retagged under windows-server-security. I've replaced it with windows-server-2016 today so that you can get better assistance. I did discover this tech community post which appears to have the same goals as you but there wasn't any response. I personally don't have any expertise in this area, @Rita Hu -MSFT would you be able to assist here?
Aemilianus Kehler 101 Reputation points

2022-02-01T17:33:59.323+00:00

Thank you ryanchill for the responses. I checked the reference you shared but that was more for trying to automate a Windows PKI cert into linux, or other vendor applications, which wouldn't be possible without extreme coding or scripting knowledge to pull off.

In my case it's all Microsoft products, MS Windows CA, PKI, MMC snap in Cert manager, Scheduled Tasks, and IIS. It should work but its not working and I can't find any log details to figure out why. Couple more question from further analysis on my part.

1) Under the Scheduled task area Task Scheduler library -> Microsoft -> Windows -> CertificateServicesClient, and clicking the system task, under the history there's a "correlation id" where can one find more details about this. I'm assuming its for a log file?

2) I was able to see there's a dedicated folder under the Event Viewer: Application and Service Logs ->Microsoft -> Windows -> CertificateServicesClient-Lifecycle-System. In which I can find the certificates when they were placed into archive, but I can't see any indication of a new cert requests via auto enrollment.
Aemilianus Kehler 101 Reputation points

2022-02-15T20:23:28.26+00:00

Sooooooo... Anyone? any help at all?

Answer 1

Is anyone here actually willing to help people, or?

Like seriously what gives here? I still have this problem and have got zero help...

Update checking the Computer cert store it appears there is a new auto generated certificate, one thing however is that certificate is used by a IIS website and when I check that sites binding it doesn't appear to have the new cert bound. Checking the service shows the old cert is still being served, and I presume much like last time if nothing is done it will eventually fail either when the expiry date passes or if the instance is stopped and restarted (like from reboot) as there is no cert defined in the IIS web bindings.

Now the only issue seems to be rebinding the certificate to the IIS website it is bound to. Any idea how this is handled?

https://learn.microsoft.com/en-us/iis/get-started/whats-new-in-iis-85/certificate-rebind-in-iis85

Just read this and I clicked the option "Enable Automatic Rebind of Renewed Certificates. Hopefully this completes the task and everything will work automatically from here on in.

Share via

Auto Cert Renewal Simply deletes old certicates

1 answer

Your answer