❌ Expired certificates (Users)
Expiring certificates still seem to be the Achilles heel of many companies, when a certificate expires from a user point of view they are inconvenienced by a browser error to tell them the certificate has expired, but they do get the option to continue using the expired certificate (Which is not a behavior I would encourage because people get used to doing this and don’t ever fix the problem)
❌ Expired certificates (Non-User)
If you remove the user from the equation and you have an application that needs to use the certificate to process its data, when the Certificate is in the state of expired. It’s unable to communicate with the endpoint with the expired certificate.
Expired certificates are pretty catastrophic for application based request, anything federation related obviously goes without saying this includes SAML/SSO - this also breaks any kind of tokenization, as well as if you have any reverse proxies or rewriting going gone that will also break on an expired certificate.
Monitoring for Expiring/Expired Certificates.
Windows has two places where you can track this the first location is the Application event log under Event ID 64 as this will report the thumbprint of the certificate that is expiring as below:
Then you also have the location in the CertificateServicesClient-Lifecycle-System for computer certificates and then CertificateServicesClient-Lifecycle-User for user based certificates, as you can see below:
Event ID Lookup Codes
Event ID 1001 : A certificate has been replaced
Event ID 1003 : A certificate is about to expire
Event ID 1004 : A certificate has been deleted
Event ID 1005 : A certificate has been archived.
Event ID 1006 : A new certificate has been installed
✅ Domain based services can be automated
Then you also have the location in the CertificateServicesClient-Lifecycle-System for computer certificates and then CertificateServicesClient-Lifecycle-User for user based certificates, as you can see below:
Event ID Lookup Codes
Event ID 1001 : A certificate has been replaced
Event ID 1003 : A certificate is about to expire
Event ID 1004 : A certificate has been deleted
Event ID 1005 : A certificate has been archived.
Event ID 1006 : A new certificate has been installed
✅ Domain based services can be automated
I find this quite interesting because if you have a domain, and you have an internal certificate authority, which most companies do, and even if you don’t, they’re not massively complicated to set up, then you can issue your own certificates from inside your company that will be automatically trusted by your domain, which means any device on your domain, and it will automatically trust your internal certificate authorities certificates.
🤨 Why then do expired certificates happen in domain environments?
This is a longer answer than you would imagine, f or this to automatically renew, there’s a couple of settings you need to have set otherwise nothing happens and your certificates just expire and then you need to manually re-create them once they’ve expired.
🔑 Renewal process (CSR/ Public/Private keys)
If you have a certificate that has expired, you will not be able to simply generate a new certificate from the expired one, you will need to complete a CSR request (Which stands for certificate signing request) that will then need to be presented to your certificate authority and it will give you a response that contains the public key from the certificate authority.
The response you get from your certificate authority will contain the public key, The private key will be stored on the server who generated the CSR from - this is a combined authorities response with your private key otherwise the certificate is useless.
🚧 Binding public certificate only does not work!
Without both the public and private key, you are unable to bind that certificate to any web server to secure your connection with SSL.
🛟 Base certificate required for renewal!
First, it’s worth pointing out you need to have the correct certificate installed on the server before you can renew it, this certificate needs to have the correct CN and SAN names - this can also be automated, but depending on the complexity, your certificates, it may not be possible to automate every certificate.
🤖 Automating certificate renewal for internal certificates
If you wish to automate this process, then there are a couple of steps you need to go through, many people get some of these steps, correct but not all of them which is why they end up manually renewing certificates, which is not recommended if you have a large server estate.
✈️ Preflight checklist
The prerequisites for this to be successful include:
Certificate template created with the certificate request that is built from the directory
Certificate template created with the permissions to enroll and auto enroll added to the security tab by the forms of a group, inside this group you will put The computer objects that need to auto renew.
The group policy set up correctly to process the auto renewal of the certificate
The policy setting applied for IIS to automatically rebind new certificates to the website, this way once your certificate is renewed IIS will automatically start using it.
What about the SAN names and other attributre?
Excellent question, many certificates can quite complex in nature and require more than just a basic CN, which is absolutely fine because this process will renew what’s already there and keep keep the attributes and syntax in tact without changing it.
You only really run into if you let the certificate expire and you manually have to renew it, When you do that, I’ve seen it before where people leave off certain attributes and SAN names which means the certificate does not function correctly.
SAN Names?
Yes, SAN names or subject alternate names, also includes other names that could be valid for this website so usually you will have a CN which, for many browsers should be repeated in the SAN name, Then you will need to add any further names the website can be expected to be visited on by users
Note : if you are adding certificates for internal web servers, remember not everyone with use the FQDN and some people will use the short name, this means that bearex01.bear.local for user could easily become bearex01
If you have not included both the FQDN and the shorter version when you visit the shorter version, you will get an error that it does not match the certificate name.
🚀 Mission control : Creating the automated certificate renewal
Now that we understand why we’re doing this and all the caveats, we can start creating the policies that will do the magic 🌈
Note : you would need access to manage your certificate authorities and be able to create policy objects, which will also include creating a group in your domain - without this access, you will not be able to complete the rest of this guide.
This will be broken up into a couple of steps to sucess:
First we need to get to templates which are stored in ADDS then we need to follow these basic overview instructions below:
- Configure Certificate Template
- Set Permissions on the Certificate Template
- Configure Auto-Enrollment via Group Policy
- Enable Automatic Rebind of Renewed Certificates in IIS via Group Policy
- Link the GPO to the Appropriate OU
- Optional : Force Group Policy Update
First we need to get to templates which are stored in ADDS then we need to follow these basic overview instructions below:
Open the Certification Authority console (`certsrv.msc`).
Right-click on `Certificate Templates`, and select `Manage`.
Find and duplicate a template suitable for your purpose (e.g., Web Server).
Configure the validity period and renewal period as needed.
That will get you here where you can see the webserver certificate in the green box, and these are the more detailed instructions:
Then we need to right click and choose Duplicate Template:
This will put you on the "compatibility" however before we get carried away click the "General" as below:
You then need to give the certificate template a name, you will need a display name and a template anem, the template name cannot contain spaces, then you need to set the validity period and renal period - these can be amended after the new template is created but the name cannot be.
Just before we move on from this section, underneath the validity and renewal you still see these options:
Publish certificate to Active Directory : Yes, you need to publish you certificate to Active Directory so that the auto renew process can work as it should, this way ADDS is aware of the certificate, therefore ensure this option is ticked.
Now this is configured head back to the "compatibility" tab and ensure you choose a minimum of Server 2016 and Windows compatibility as below, the apply those updates.
Then we move on to the "Request Handling Tab" here just ensure the "Allow private key to be exported" is not ticked:
Then we need to move to "Cryptography" for this example I have chosen and opted to use ECDH (or Elliptical Curve Cryptography) as the algorithm for a more secure certificate with a 256bit key size, also note I have increased the request hash to SHA256:
This is a simple registry key but these are the steps:
That should look like this if yo have done it correctly:
Link the GPO to the Appropriate OU
This one if quite simple following the instructions blow:
Open the Group Policy Management Console (`gpmc.msc`).
Locate the "OU" with your servers
Optional : Force Group Policy Update
Run the command below, however this is not required as domain joined computers will do this within 30-60 minutes - or whatever is set for your group policy processing interval.
gpupdate /force
This will apply the new policy settings immediately, you may need run this from an elevated command prompt.
Right-click on `Certificate Templates`, and select `Manage`.
Find and duplicate a template suitable for your purpose (e.g., Web Server).
Configure the validity period and renewal period as needed.
That will get you here where you can see the webserver certificate in the green box, and these are the more detailed instructions:
Then we need to right click and choose Duplicate Template:
This will put you on the "compatibility" however before we get carried away click the "General" as below:
You then need to give the certificate template a name, you will need a display name and a template anem, the template name cannot contain spaces, then you need to set the validity period and renal period - these can be amended after the new template is created but the name cannot be.
Just before we move on from this section, underneath the validity and renewal you still see these options:
Publish certificate to Active Directory : Yes, you need to publish you certificate to Active Directory so that the auto renew process can work as it should, this way ADDS is aware of the certificate, therefore ensure this option is ticked.
Do not automatically reenrol : This needs to be disabled for this configuration, as when this is enabled the certificate server will not issue another certificate if one already exists, is is part of the issuance process, which means if you have a certificate for "webserver.bear.local" issues and the renewal tries to "renew" this will be denied as a certificate with "webserver.berar.local" already exists.
Then we move on to the "Request Handling Tab" here just ensure the "Allow private key to be exported" is not ticked:
Then we need to move to "Cryptography" for this example I have chosen and opted to use ECDH (or Elliptical Curve Cryptography) as the algorithm for a more secure certificate with a 256bit key size, also note I have increased the request hash to SHA256:
However if you stick with RSA, which is legacy now, ensure you stay above 2048bit for security as below:
Then we need to move to the "Subject Name" tab and here as we will already for the certificate on the server we are not generating a completely new certificate (a renew is not a completely new certificate)
We now need to set the security permissions (ACL) on the certificate for this the basic instructions are as follows:
Right, next up create the GPO object, so this means the basic instructions are:
This should get you to this dialogue then you can set the options, I have updated the renew of lifetime from 10% to 15%:
Enable Automatic Rebind of Renewed Certificates in IIS via Group Policy
Then we need to move to the "Subject Name" tab and here as we will already for the certificate on the server we are not generating a completely new certificate (a renew is not a completely new certificate)
Set Permissions on the Certificate Template
We now need to set the security permissions (ACL) on the certificate for this the basic instructions are as follows:
In the Certificate Templates console, right-click on the new template and select `Properties`.
Go to the `Security` tab.
Go to the `Security` tab.
Add the group that contains the servers you want to auto-enroll.
Grant `Enroll` and `Autoenroll` permissions to this group.
That should look like this from the Security tab, notice my groups is SSL-Autorenew with the permissions Enroll and AutoEnroll
Configure Auto-Enrollment via Group Policy
That should look like this from the Security tab, notice my groups is SSL-Autorenew with the permissions Enroll and AutoEnroll
Configure Auto-Enrollment via Group Policy
Right, next up create the GPO object, so this means the basic instructions are:
Open the Group Policy Management Console (`gpmc.msc`).
Create a new GPO
Give the GPO a valid name, but leave it unlinked
Give the GPO a valid name, but leave it unlinked
Navigate to `Computer Configuration` -> `Policies` -> `Windows Settings` -> `Security Settings` -> `Public Key Policies` -> `Certificate Services Client - Auto-Enrollment`.
Enable the policy.
Select `Renew expired certificates, update pending certificates, and remove revoked certificates`.
Select `Update certificates that use certificate templates`.
This should get you to this dialogue then you can set the options, I have updated the renew of lifetime from 10% to 15%:
Enable Automatic Rebind of Renewed Certificates in IIS via Group Policy
In the Group Policy Management Editor, navigate to `Computer Configuration` -> `Preferences` -> `Windows Settings` -> `Registry`.
Right-click on `Registry` and select `New` -> `Registry Item`.
Set Action of "Update"
Hive: HKEY_LOCAL_MACHINE
Key Path: SOFTWARE\Microsoft\IIS\Parameters
Value Name: EnableCertRebind
Value Type: REG_DWORD
Value Data 1
That should look like this if yo have done it correctly:
Link the GPO to the Appropriate OU
This one if quite simple following the instructions blow:
Open the Group Policy Management Console (`gpmc.msc`).
Locate the "OU" with your servers
This OU should contain the servers that will auto renew their certificates
Your servers should all be in the the group you have created earlier
Right click that OU
Choose "Link an existing GPO....."
Locate the name of the GPO you have created, for example "SSL-Autorenew"
Right click that OU
Choose "Link an existing GPO....."
Locate the name of the GPO you have created, for example "SSL-Autorenew"
Click on that group policy
Click OK.
Click OK.
Optional : Force Group Policy Update
Run the command below, however this is not required as domain joined computers will do this within 30-60 minutes - or whatever is set for your group policy processing interval.
gpupdate /force
This will apply the new policy settings immediately, you may need run this from an elevated command prompt.
Monitor IIS Rebind Events
In the Event Viewer, navigate to `Applications and Services Logs` -> `Microsoft` -> `Windows` -> `IIS-Configuration` -> `Operational`