For a lab/teaching environment, we need to set up a Windows 2012R2 machine as a domain controller, with LDAPS enabled on 636. As we also need ADCS installed, we have just let ADCS auto generate the cert on the LDAPS service.
However, the cert expires in one year. Is there a mechanism where the cert auto renews somehow when a year is up?
I can't seem to find an answer to this.
Or should I manually set up a cert like this with a more distant expire time?
simonsimon
1 Answer
In Active Directory Certificate Services it is possible to configure certificates to autorenew prior to certificate expiration. This functionality (which is shipped with every Windows box) is called certificate autoenrollment.
Here is the link that describes how to enable autoenrollment functionality (which is disabled by default): https://technet.microsoft.com/en-us/library/cc770546.aspx
in your case, it is sufficient to use a certificate based on Kerberos Authentication certificate template (which is compatible with LDAPS) and enable autoenrollment GPO. Certificate template already contains Autoenroll permissions for Enterprise Domain Controllers global group. If GPO is configured properly, domain controllers will renew their LDAPS certificates after 80% of existing certificate's lifespan.
and here is a link that describes what is autoenrollment and how it works in details (for reference): https://technet.microsoft.com/en-us/library/cc778954(v=ws.10).aspx
Crypt32Crypt32
3,78711 gold badge99 silver badges2626 bronze badges
Not the answer you're looking for? Browse other questions tagged active-directorywindows-server-2012-r2ad-certificate-services or ask your own question.
I have this AD domain where a Windows Server 2003 SP2 Enterprise Root Certification Authority is operational, and certificate autoenrollment is enabled both for users and computers; all fine and good, every domain-joined computer automatically gets a Computer certificate issued. There are also two Windows Server 2003 SP2 domain controllers, which instead received a Domain Controller certificate; all fine and good, again.
Then I got a Windows Server 2008 R2 SP1 member server, which had already automatically enrolled a Computer certificate, and promoted it to domain controller. It didn't get any new one after the promotion, and no errors are logged anywhere: it looks like it simply decided that, having already a working certificate, it didn't need a new one.
What I want to know is:
I tried revoking the existing certificate and rebooting the new DC; nothing happened.Then I removed the existing certificate from the DC's local store and rebooted it again; nothing heppened this time, too.
I turned on autoenrollment logging, and I found there actually are some errors.. when the new DC tries to enroll a certificate, it logs a bunch of errors:
2,63622 gold badges1313 silver badges2323 bronze badges
MassimoMassimo
53.6k4545 gold badges172172 silver badges288288 bronze badges
2 Answers
Try
certutil -pulse - this should check for templates the system has permission in, and enroll them. It should have no problem grabbing the certificate, as long as there's nothing crazy going on in the permissions settings on the template.
You'll definitely want to have your DCs have a Domain Controller-style certificate ( Shane Madden♦Shane Madden
Domain Controller is the old one; Domain Controller Authentication then Kerberos Authentication supersede it; if your CA is running enterprise edition, then consider switching to the newer Kerberos template) - while a lot of the functions that it satisfies will be handled by a Computer certificate, some of the DC-specific stuff like smart card authentication, the LDAP/SSL listener (I believe?), and with the newer Kerberos certificate, strong KDC validation, need the special certificate.
Active Directory Certificate Autoenrollment Step By Step 1
105k99 gold badges150150 silver badges225225 bronze badges
Did you try removing the certificate from the server itself, instead of simply publishing the revocation to the revocation list on the CA? Then have the server enroll (request a certificate) again?
Here's some info on the certificates:http://technet.microsoft.com/en-us/library/cc787009(WS.10).aspx
mbrownnycmbrownnyc
1,18577 gold badges2424 silver badges4747 bronze badges
Not the answer you're looking for? Browse other questions tagged active-directorydomain-controllercertificatecertificate-authorityad-certificate-services or ask your own question.
However, the cert expires in one year. Is there a mechanism where the cert auto renews somehow when a year is up?
Active Directory Certificate Server
I can't seem to find an answer to this.
Or should I manually set up a cert like this with a more distant expire time?
simonsimon
1 Answer
In Active Directory Certificate Services it is possible to configure certificates to autorenew prior to certificate expiration. This functionality (which is shipped with every Windows box) is called certificate autoenrollment.
Here is the link that describes how to enable autoenrollment functionality (which is disabled by default): https://technet.microsoft.com/en-us/library/cc770546.aspx Sims 4 maxis match skin.
in your case, it is sufficient to use a certificate based on Kerberos Authentication certificate template (which is compatible with LDAPS) and enable autoenrollment GPO. Certificate template already contains Autoenroll permissions for Enterprise Domain Controllers global group. If GPO is configured properly, domain controllers will renew their LDAPS certificates after 80% of existing certificate's lifespan.
and here is a link that describes what is autoenrollment and how it works in details (for reference): https://technet.microsoft.com/en-us/library/cc778954(v=ws.10).aspx
3,78711 gold badge99 silver badges2626 bronze badges
Not the answer you're looking for? Browse other questions tagged active-directorywindows-server-2012-r2ad-certificate-services or ask your own question.Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |