How to use AD CS to auto-renew certs for securing IIS websites that use SNI?

NReilingh

3/14/24, 1:57 PM

I have AD CS which automatically provisions and renews machine certificates for servers bound to the directory. (There is a certificate template which controls this auto-issuance.)

I have an IIS server bound to the directory which serves some websites which I want to secure with AD CS-issued certs. These sites will only be accessible to clients which will trust the AD CS root certificate.

I know I can simply select the machine certificate in IIS when editing the site binding. I don't know if this will automatically handle when that certificate is renewed by the machine.

But I actually want to run the site on a host name different from the machine name, and have multiple sites with different SNI running from this same IIS instance.

In theory, it would be possible for IIS to automatically request and renew certs from AD CS to match my host name configuration for a given site, but I don't believe this feature is built in to IIS 10. What's the next best option?

187

1 + 0

iis

active-directory

sni

iis-10

active-directory-adcs

Score:2

Server

garethTheRed

3/14/24, 4:09 PM

You can't expect the CA to permit IIS to enrol for a certificate for all your SNI sites and the CA doesn't know that you own those names. If the CA issues certificates for any Subject the client requests, then it wouldn't be much of an authority :-)

Instead, you will somehow need to show that you do own, or at least are responsible for, those names. This is where protocols such as ACME are used on the Internet, as it is used to show to the CA that you do own a specific FQDN. Unfortunately, Microsoft ADCS doesn't support ACME without third party tools.

What you can do instead though is issue the certificate using a template which initially requires CA certificate manager approval and is configured to subsequently renew the certificate without requiring the CA manager to approve it, thereby reducing the workload. In this scenario, the CA certificate manager will have a responsibility to verify that you are responsible for all those names.

On the template Subject Name tab, set the template to Supply in the request, then select Use subject information from existing certificate for autoenrollment renewal requests.
On the Issuance Requirements tab set the Require the following for enrollment to CA certificate manager approval, then from Require the following for reenrollment below, to Valid existing certificate.

Ensure that the Certificate Client Services - Auto-Enrollment Group Policy is enabled and Renew expired certificates, update pending certificates, and remove revoked certificates and Update certificates that use certificate templates are both set.

Have the CA administrator enable this template on your CA, then enrol for it from the IIS server.

You will need to add all the Subject and Subject Alternative Name fields to this certification request on initial enrolment only.

On renewal, the client will automatically submit a request to the CA using the information stored in the Subject and Subject Alternative Name fields. As this request is signed by (the private key of) a valid existing certificate, the CA will trust it and therefore instead of requiring the CA certificate manager to approve the request again, it will automatically issue it.

A downside to this approach is that if you host a new site and need to add another SNI name to the Subject Alternative Name extension, then you will have to generate a new request from scratch and have the CA certificate manager approve it.

+ 2

NReilingh

3/14/24, 9:10 PM

Great overview of the template configuration, thank you! Makes sense that AD CS can't implicitly trust a domain member to only request certs for FQDNs that it is actually hosting (though maybe it _could_ confirm this with a lookup in AD DNS...) -- but anyhow this will work just fine for me, and I'll bet I could script generating the certificate request if I really wanted to.

garethTheRed

3/15/24, 5:51 AM

Have a look at PowerShell's [Get-Certificate](https://learn.microsoft.com/en-us/powershell/module/pki/get-certificate) Cmdlet, if you want to reduce typing errors and script it.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How to use AD CS to auto-renew certs for securing IIS websites that use SNI?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.