?
Solved

Internal CA - managing certificates

Posted on 2011-03-08
5
Medium Priority
?
1,029 Views
Last Modified: 2012-05-11
Hi all,

We have an Internal CA issuing certificates. However, there are some servers, such as Edge services and a few others that have expired certificates.

How can we manage this from the Internal CA? Is there a console or alerting system to be able to send out alerts of certificates expiring at any point?

Also, should servers that connect directly to the CA auto renew?

Thanks,
Mark
0
Comment
Question by:MarkMichael
  • 3
  • 2
5 Comments
 
LVL 11

Expert Comment

by:Tasmant
ID: 35068607
You could find information for the CA to send email alerts here:
http://technet.microsoft.com/en-us/library/cc773129%28WS.10%29.aspx

But i think you cannot monitor the nearly expired certificates, unless you set reminders in your own Outlook for them. I've always proceed with this way, especially for DMZ servers such Edge or IIS which don't have access directly to the CA.

For auto renew, sure, you could auto renew for internal servers. It wouldn't be a security issue.
0
 
LVL 11

Expert Comment

by:Tasmant
ID: 35068614
0
 
LVL 15

Author Comment

by:MarkMichael
ID: 35069925
How do certificates auto enroll anyway?

Is it an automated task via the HTTP page of the CA?

for example:

Exchange edge has an internal certificate on it.

It can get to http://internalca/certsrv

but not https://internalca/certsrv

Does auto renewal use the HTTP method or is it normally done differently?

The certificate was generated manually, so how does this fair in terms of auto renewing?

Sorry for all the questions!
0
 
LVL 11

Accepted Solution

by:
Tasmant earned 2000 total points
ID: 35070316
automatic enrollment usually rely on DCOM and RPC protocol.
you can renew certificate with http, but only manually (unless you use 2008R2 and Windows 7 clients: http://technet.microsoft.com/en-us/library/dd759245.aspx)
if you cannot access https, either you have a firewall blocking port 443 from your edge to the internal CA, either the web enrollment site hasn't been configured to use https.
i think in your case the certificate won't update automatically

there's information here about port used and renewal methods :
http://technet.microsoft.com/en-us/library/cc784758%28WS.10%29.aspx
http://technet.microsoft.com/en-us/library/cc738405%28WS.10%29.aspx
0
 
LVL 15

Author Comment

by:MarkMichael
ID: 35081393
Lovely, thanks for all that info.

Cheers.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question