PKI - Manual Enroll - Auto Renewal - Possible?

Giganews Newsgroups
Subject: PKI - Manual Enroll - Auto Renewal - Possible?
Posted by:  DJH (D…@discussions.microsoft.com)
Date: Wed, 21 May 2008

How do you configure a certificate template for Manual enrolment and Auto
renewal?

For example:
I have a web server called “WINSERVER1”.  It hosts a website called
“coolwebsite.local”
I request an SSL from the internal CA called coolwebsite.local.
I want that certificate to automatically renew when it expires.
Obviously this has to be a manual enrolment as the server would not know how
to request some random website name in a certificate.

This is what I have configured:

I have an AD Integrated Enterprise issuing CA.
A version 2 certificate template has been created for computer authentication.
Template settings are as follows:
Subject Name Tab                          -Supply in the request (followed
by a description. The sentence of interest is “Autoenrollment is not allowed
if you choose this option)
Issuance Requirements Tab        -Require the following for enrolment: CA
certificate manager approval
-Require the following for reenrolment: Valid existing certificate
Security Tab                                      -AD group allowing Read
Enroll and Autoenroll

A server is added to the AD group that was configured on the Template
permissions tab.
A GPO has been created allowing the server to autoenroll and renew.

A certificate was requested via the web interface http://caname/certsrv
using this template and approved via the Certificate Authorities mmc.
The server then had a certificate with a validity of 1 year.

My expectation was that it would auto renew the certificate when it was due
to expire – using the GPO, Template security, and “Valid existing
certificate” issuance requirement.  This has not happened.
Have I configured something incorrectly?
Or
Is it not possible to have manually enrolled and automatically renewed?

Replies