Active Directory – How to Auto-Renew Certificate Services

active-directoryad-certificate-servicescertificatecertificate-authorityssl-certificate

I have an LDAP application which needs to talk to Active Directory via LDAPS (LDAP over SSL). I installed Active Directory Certificate Services on a test Domain Controller (I know this is not best practice, but my customer has no spare Windows Server license for a standalone CA server).

From here I read and followed these instructions:

If you install the AD CS role and specify the Setup Type as Enterprise
on a domain controller, all domain controllers in the forest will be
configured automatically to accept LDAP over SSL

The issued certificate was indeed loaded into the DC certificate store, and the LDAPS-aware applications is working.

My question is: will the certificate be renewed/re-enrolled automatically, or I need to manually taking care of it? What I need to check to be sure than automatic renew will work correctly?

Best Answer

With ADCS Enterprise CA, you can utilize certificate autoenrollment that can automatically request and renew certificates for users and computers. I wrote a new whitepaper on how it works in details: Certificate Autoenrollment in Windows Server 2016. There is a downloadable copy of the document.

In short, it is done as follows:

Configure autoenrollment policy in GPO as specified in Configuring autoenrollment policy section.
Apply GPO to appropriate container (OU, domain, site).
Find a suitable certificate template you want to deploy. Go to Security tab and grant appropriate groups (users, computers or DCs) the following permissions: Read, Enroll and Autoenroll.
Publish template to CA for issuance.
????
PROFIT

Last two items imply that you have to wait until GPO is applied to clients.

Note: in order for autoenrollment to succeed, subject name of certificate must be constructed from Active Directory.

Update

In your particular question, you need only to configure autoenrollment GPO and publish Kerberos Authentication template to CA if it is not yet added. This teamplte already have all required permissions.

Related Solutions

Domain Controller promotion and certificate autoenrollment

Try certutil -pulse - this should check for templates the system has permission in, and enroll them. It should have no problem grabbing the certificate, as long as there's nothing crazy going on in the permissions settings on the template.

You'll definitely want to have your DCs have a Domain Controller-style certificate (Domain Controller is the old one; Domain Controller Authentication then Kerberos Authentication supersede it; if your CA is running enterprise edition, then consider switching to the newer Kerberos template) - while a lot of the functions that it satisfies will be handled by a Computer certificate, some of the DC-specific stuff like smart card authentication, the LDAP/SSL listener (I believe?), and with the newer Kerberos certificate, strong KDC validation, need the special certificate.

Ssl – Active Directory SSL Certificate Private Key Not Attached

The certificate that's returned must be used to complete the certificate request, not just imported into the store.

See step 5 in that KB:

certreq -accept certnew.cer

This should automatically place the certificate in the store, it does not need a manual import.

Additionally, it should be in the computer's personal store, not the service's store.

Best Answer

Update

Related Solutions

Domain Controller promotion and certificate autoenrollment

Ssl – Active Directory SSL Certificate Private Key Not Attached

Related Topic