Windows AD cert renewal implementation vs cert copying

Seva Alekseyev

4/16/24, 4:16 PM

Windows PKI policy has a setting for what I think is automated renewal of AD template issued certificates when they expire.

It must be also enabled on the certificate authority (CA) side. Question - if I copy an AD template based cert from the machine where it was originally generated to another box, will the automatic renewal work on the new box?

This could depend on whether the renewal is initiated by the CA or by the certificate's home machine. In the former case, the CA might not know that the cert was copied and might push it via global policy to the original host.

305

1 + 0

windows

active-directory

pki

ssl-certificate

certificate-authority

Score:2

Server

garethTheRed

4/16/24, 6:03 PM

All renewals are initiated from the client, not the CA.

To renew, the client sends the renewal request in CMC format. A CMC renewal request requires signing by the original certificate's private key, therefore you would need to ensure that the certificate and private key is on the client - not just the certificate.

You then need to consider the template. If it takes the Subject name from AD, then when the new client renews it may be issued a certificate with a different name to the original, which, depending on what validation checks the CA carries out, may not work.

It would be easier to simply enrol for a new certificate on the other machine.

+ 6

Seva Alekseyev

4/16/24, 10:03 PM

The private key copied along with the cert in my scenario. The template doesn't assign subject AFAIK, it takes one from the request. Do you know what process/task exactly initiates renewal?

garethTheRed

4/17/24, 6:11 AM

On modern Windows, I _think_ it's the scheduled tasks under `Task Scheduler > Microsoft > Windows > CertificateServicesClient`. Namely `SystemTask` and `UserTask`. The renewal is enabled/disabled by the group policy in your question.

Greg Askew

4/17/24, 10:48 AM

@SevaAlekseyev: Are you asking *if* the certificate will renew or how to initiate a renewal? Basically it is when it reaches 80% mark of the end date. https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/approval-required-certificate-renewals-autoenrollment https://www.networkoc.net/microsoft-ca-commands-and-cheat-sheet/

Seva Alekseyev

4/17/24, 12:22 PM

I'm asking whether *Windows* will initiate a renewal on a copied (with key) cert on the machine it's been copied to. If not, I can write the task/logic manually, but I'm hoping I won't have to.

LeeM

4/20/24, 12:06 AM

Windows will initiate it, but whether the certificate template criteria will allow it to be auto-renewed is something else. If you're not familiar with the template, you'll need to look at it to see there are no enrolment criteria that'll block an autorenew, *and* that the server account has the appropriate perms to autoenroll with that template. Check the *Renew manually enrolled certificates* section in Vadims Podans' article on server autenrollment: https://www.sysadmins.lv/blog-en/certificate-autoenrollment-in-windows-server-2016-part-2.aspx

LeeM

4/20/24, 12:10 AM

That article also goes into a ton of detail on autoenrollment in general, the location of the default Windows scheduled tasks that run the enrolment checks (which you shouldn't mess with), and how to use `certutil -pulse` to manually trigger an enrolment check. Plus much, much more.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Windows AD cert renewal implementation vs cert copying

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.