Domain Controller – Changing Issuing CA for Autoenrollment

ad-certificate-servicescertificate-authoritydomain-controller

We are cleaning up our Windows PKI/CA environment and replacing our root CA with a new server. The current root CA has been issuing the following certificate templates for years now (in addition to the Subordinate certificate template):

Kerberos Authentication
Domain Controller Authentication (we know this is superseded now by the Kerberos Authentication template)
Domain Controller (we know this is superseded now)
Directory Email Replication

The subordinate CA also has the templates "issued".

We know that this isn't ideal, and the new root CA will be set to only issue the subordinate certificate template.

THE QUESTION:

After removing the templates above from being issued by the root CA (NOT deleting the template itself, just removing it from being issued from that root CA), when the domain controllers automatically renew those certificates above, will they know to look at the subordinate CA for the renewal/issuance of a new certificate based on those templates required for a domain controller? Or is there something else we need to do to proactively issue new certificates to the DC's in the environment? The existing certificates won't be revoked so they'll be valid until re-enrollment happens, but we are curious if re-enrollment will fail if the original certs were issued by the old root CA. We aren't sure how DC's "decide" which CA to pick from if more than one CA is allowed to issue these DC templates.

Additional Add-On Question:

Do you know what affect existing certs will have that were issued from the existing SubCA after we replace the rootCA? We are migrating the rootCA to a new name per: Step-By-Step Migrating CA to new server — others in the comments asked basically the same question I'm asking about existing certs but with no reply. My guess is that as long as the client still has the old RootCA in their Trusted Root Store and the SubCA in the Intermediate Store, they should still have a good cert chain until the cert expires, but I'd like to know for sure ahead of time.

Best Answer

when the domain controllers automatically renew those certificates above, will they know to look at the subordinate CA for the renewal/issuance of a new certificate based on those templates required for a domain controller?

yes. Enrollment clients will enumerate all CAs that support requested template from AD first. Then client will choose random CA from this list to send renewal request. That is, removing all templates from root CA is fine, clients will attempt another available CA that supports this template.

p.s. though I would consider to convert Enterprise Root CA (domain-joined) to Standalone Root CA (workgroup member) so you can turn off root CA for most of time because it has nothing to do online. You would turn on it once or twice a year to publish the CRL or when you need to sign subordinate CA certificate. But it is another question, just a good way to follow best practices.

Update 1 (21.01.2022)

Microsoft Docs pages don't show anything about how it enumerates the CAs, etc.

Enrollment client calls generic IX509Enrollment::Enroll which performs a series of calls (very simplified steps):

CA discovery using [MS-XCEP]

Load a list of policies from registry.
Group policies by PolicyId attribute.
Groups are sorted by Cost attribute, then by Authentication attribute. Kerberos authentication has higher precedence. The rest groups are placed in arbitrary order.
Query each policy by calling IPolicy::GetPoliciesResponse web method. Response contains a list of CA web services
Response contains: a list of certificate templates the caller has permissions to enroll and a list of CA endpoints (that implement [MS-WSTEP] protocol) with the information about supported certificate templates.
prepare empty list.
for each sorted policy group:
order CAs by Cost attribute, then by Authentication attribute. Kerberos authentication has higher precedence. The rest groups are placed in arbitrary order. Eliminate CAs the caller has no permissions on. Append ordered CAs to the list in same order.
repeat (8) until all CAs are added to the list.
for each CA in remaining list:
generate certificate request and call ICertRequest::Submit to submit request to selected CA.
repeat (11) until the call succeeds.

CA discovery using [MS-WCCE]

do do-while loop call of ICertConfig::Next to enumerate all autodiscovered CAs (local, registered in AD, stored in shared directory, etc.). This will produce a list of all possible CAs.
For each CA client makes a ICertRequest2::GetCAProperty call with CR_PROP_TEMPLATES as a propID parameter. Eliminate offline CAs.
Filter list obtained in (1) to eliminate CAs that does not support requested template.
if CA site awareness is configured, filter list of CAs that are in same ADDS site as client. Do not filter if CA site awareness is not configured or there is no CAs in same ADDS site where client resides.
Call ICertRequest::GetCACertificate to retrieve CA certificate and validate each. Eliminate CAs with invalid or untrusted certificate.
pick arbitrary CA from remaining list, generate certificate request and call ICertRequest::Submit to submit request to selected CA.

Again, it is a simplified task sequence for enrollment client to discover CAs and submit certificate request.

Update 2

Do you know what affect existing certs will have that were issued from the existing SubCA after we replace the rootCA?

literally nothing as long as root CA is trusted by clients.

Related Solutions

Domain Controller promotion and certificate autoenrollment

Try certutil -pulse - this should check for templates the system has permission in, and enroll them. It should have no problem grabbing the certificate, as long as there's nothing crazy going on in the permissions settings on the template.

You'll definitely want to have your DCs have a Domain Controller-style certificate (Domain Controller is the old one; Domain Controller Authentication then Kerberos Authentication supersede it; if your CA is running enterprise edition, then consider switching to the newer Kerberos template) - while a lot of the functions that it satisfies will be handled by a Computer certificate, some of the DC-specific stuff like smart card authentication, the LDAP/SSL listener (I believe?), and with the newer Kerberos certificate, strong KDC validation, need the special certificate.

OpenSSL – Certification Authority Root Certificate Expiry and Renewal

Keeping the same private key on your root CA allows for all certificates to continue to validate successfully against the new root; all that's required of you is to trust the new root.

The certificate signing relationship is based on a signature from the private key; keeping the same private key (and, implicitly, the same public key) while generating a new public certificate, with a new validity period and any other new attributes changed as needed, keeps the trust relationship in place. CRLs, too, can continue over from the old cert to the new, as they are, like certificates, signed by the private key.

So, let's verify!

Make a root CA:

openssl req -new -x509 -keyout root.key -out origroot.pem -days 3650 -nodes

Generate a child certificate from it:

openssl genrsa -out cert.key 1024
openssl req -new -key cert.key -out cert.csr

Sign the child cert:

openssl x509 -req -in cert.csr -CA origroot.pem -CAkey root.key -create_serial -out cert.pem
rm cert.csr

All set there, normal certificate relationship. Let's verify the trust:

# openssl verify -CAfile origroot.pem -verbose cert.pem
cert.pem: OK

Ok, so, now let's say 10 years passed. Let's generate a new public certificate from the same root private key.

openssl req -new -key root.key -out newcsr.csr
openssl x509 -req -days 3650 -in newcsr.csr -signkey root.key -out newroot.pem
rm newcsr.csr

And.. did it work?

# openssl verify -CAfile newroot.pem -verbose cert.pem
cert.pem: OK

But.. why? They're different files, right?

# sha1sum newroot.pem
62577e00309e5eacf210d0538cd79c3cdc834020  newroot.pem
# sha1sum origroot.pem
c1d65a6cdfa6fc0e0a800be5edd3ab3b603e1899  origroot.pem

Yes, but, that doesn't mean that the new public key doesn't cryptographically match the signature on the certificate. Different serial numbers, same modulus:

# openssl x509 -noout -text -in origroot.pem
        Serial Number:
            c0:67:16:c0:8a:6b:59:1d
...
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:bd:56:b5:26:06:c1:f6:4c:f4:7c:14:2c:0d:dd:
                    3c:eb:8f:0a:c0:9d:d8:b4:8c:b5:d9:c7:87:4e:25:
                    8f:7c:92:4d:8f:b3:cc:e9:56:8d:db:f7:fd:d3:57:
                    1f:17:13:25:e7:3f:79:68:9f:b5:20:c9:ef:2f:3d:
                    4b:8d:23:fe:52:98:15:53:3a:91:e1:14:05:a7:7a:
                    9b:20:a9:b2:98:6e:67:36:04:dd:a6:cb:6c:3e:23:
                    6b:73:5b:f1:dd:9e:70:2b:f7:6e:bd:dc:d1:39:98:
                    1f:84:2a:ca:6c:ad:99:8a:fa:05:41:68:f8:e4:10:
                    d7:a3:66:0a:45:bd:0e:cd:9d
# openssl x509 -noout -text -in newroot.pem
        Serial Number:
            9a:a4:7b:e9:2b:0e:2c:32
...
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:bd:56:b5:26:06:c1:f6:4c:f4:7c:14:2c:0d:dd:
                    3c:eb:8f:0a:c0:9d:d8:b4:8c:b5:d9:c7:87:4e:25:
                    8f:7c:92:4d:8f:b3:cc:e9:56:8d:db:f7:fd:d3:57:
                    1f:17:13:25:e7:3f:79:68:9f:b5:20:c9:ef:2f:3d:
                    4b:8d:23:fe:52:98:15:53:3a:91:e1:14:05:a7:7a:
                    9b:20:a9:b2:98:6e:67:36:04:dd:a6:cb:6c:3e:23:
                    6b:73:5b:f1:dd:9e:70:2b:f7:6e:bd:dc:d1:39:98:
                    1f:84:2a:ca:6c:ad:99:8a:fa:05:41:68:f8:e4:10:
                    d7:a3:66:0a:45:bd:0e:cd:9d

Let's go a little further to verify that it's working in real world certificate validation.

Fire up an Apache instance, and let's give it a go (debian file structure, adjust as needed):

# cp cert.pem /etc/ssl/certs/
# cp origroot.pem /etc/ssl/certs/
# cp newroot.pem /etc/ssl/certs/
# cp cert.key /etc/ssl/private/

We'll set these directives on a VirtualHost listening on 443 - remember, the newroot.pem root certificate didn't even exist when cert.pem was generated and signed.

SSLEngine on
SSLCertificateFile /etc/ssl/certs/cert.pem
SSLCertificateKeyFile /etc/ssl/private/cert.key
SSLCertificateChainFile /etc/ssl/certs/newroot.pem

Let's check out how openssl sees it:

# openssl s_client -showcerts -CAfile newroot.pem -connect localhost:443

Certificate chain
 0 s:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=server.lan
   i:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=root
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
 1 s:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=root
   i:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=root
-----BEGIN CERTIFICATE-----
MIICHzCCAYgCCQCapHvpKw4sMjANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJB
...
-----END CERTIFICATE-----
(this should match the actual contents of newroot.pem)
...
Verify return code: 0 (ok)

Ok, and how about a browser using MS's crypto API? Gotta trust the root, first, then it's all good, with the new root's serial number:

newroot

And, we should still be working with the old root, too. Switch Apache's config around:

SSLEngine on
SSLCertificateFile /etc/ssl/certs/cert.pem
SSLCertificateKeyFile /etc/ssl/private/cert.key
SSLCertificateChainFile /etc/ssl/certs/origroot.pem

Do a full restart on Apache, a reload won't switch the certs properly.

# openssl s_client -showcerts -CAfile origroot.pem -connect localhost:443

Certificate chain
 0 s:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=server.lan
   i:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=root
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
 1 s:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=root
   i:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=root
-----BEGIN CERTIFICATE-----
MIIC3jCCAkegAwIBAgIJAMBnFsCKa1kdMA0GCSqGSIb3DQEBBQUAMFQxCzAJBgNV
...
-----END CERTIFICATE-----
(this should match the actual contents of origroot.pem)
...
Verify return code: 0 (ok)

And, with the MS crypto API browser, Apache's presenting the old root, but the new root's still in the computer's trusted root store. It'll automatically find it and validate the cert against the trusted (new) root, despite Apache presenting a different chain (the old root). After stripping the new root from trusted roots and adding the original root cert, all is well:

oldroot

So, that's it! Keep the same private key when you renew, swap in the new trusted root, and it pretty much all just works. Good luck!

Best Answer

Related Solutions

Domain Controller promotion and certificate autoenrollment

OpenSSL – Certification Authority Root Certificate Expiry and Renewal

Related Topic