|Subject:||PKI - Manual Enroll - Auto Renewal - Possible?|
|Posted by:||DJH (D…@discussions.microsoft.com)|
|Date:||Wed, 21 May 2008|
How do you configure a certificate template for Manual enrolment and Auto
I have a web server called â€œWINSERVER1â€. It hosts a website called
I request an SSL from the internal CA called coolwebsite.local.
I want that certificate to automatically renew when it expires.
Obviously this has to be a manual enrolment as the server would not know how
to request some random website name in a certificate.
This is what I have configured:
I have an AD Integrated Enterprise issuing CA.
A version 2 certificate template has been created for computer authentication.
Template settings are as follows:
Subject Name Tab -Supply in the request (followed
by a description. The sentence of interest is â€œAutoenrollment is not allowed
if you choose this option)
Issuance Requirements Tab -Require the following for enrolment: CA
certificate manager approval
-Require the following for reenrolment: Valid existing certificate
Security Tab -AD group allowing Read
Enroll and Autoenroll
A server is added to the AD group that was configured on the Template
A GPO has been created allowing the server to autoenroll and renew.
A certificate was requested via the web interface http://caname/certsrv
using this template and approved via the Certificate Authorities mmc.
The server then had a certificate with a validity of 1 year.
My expectation was that it would auto renew the certificate when it was due
to expire â€“ using the GPO, Template security, and â€œValid existing
certificateâ€ issuance requirement. This has not happened.
Have I configured something incorrectly?
Is it not possible to have manually enrolled and automatically renewed?