Solved

Internal CA - managing certificates

Posted on 2011-03-08
5
1,011 Views
Last Modified: 2012-05-11
Hi all,

We have an Internal CA issuing certificates. However, there are some servers, such as Edge services and a few others that have expired certificates.

How can we manage this from the Internal CA? Is there a console or alerting system to be able to send out alerts of certificates expiring at any point?

Also, should servers that connect directly to the CA auto renew?

Thanks,
Mark
0
Comment
Question by:MarkMichael
  • 3
  • 2
5 Comments
 
LVL 11

Expert Comment

by:Tasmant
ID: 35068607
You could find information for the CA to send email alerts here:
http://technet.microsoft.com/en-us/library/cc773129%28WS.10%29.aspx

But i think you cannot monitor the nearly expired certificates, unless you set reminders in your own Outlook for them. I've always proceed with this way, especially for DMZ servers such Edge or IIS which don't have access directly to the CA.

For auto renew, sure, you could auto renew for internal servers. It wouldn't be a security issue.
0
 
LVL 11

Expert Comment

by:Tasmant
ID: 35068614
0
 
LVL 15

Author Comment

by:MarkMichael
ID: 35069925
How do certificates auto enroll anyway?

Is it an automated task via the HTTP page of the CA?

for example:

Exchange edge has an internal certificate on it.

It can get to http://internalca/certsrv

but not https://internalca/certsrv

Does auto renewal use the HTTP method or is it normally done differently?

The certificate was generated manually, so how does this fair in terms of auto renewing?

Sorry for all the questions!
0
 
LVL 11

Accepted Solution

by:
Tasmant earned 500 total points
ID: 35070316
automatic enrollment usually rely on DCOM and RPC protocol.
you can renew certificate with http, but only manually (unless you use 2008R2 and Windows 7 clients: http://technet.microsoft.com/en-us/library/dd759245.aspx)
if you cannot access https, either you have a firewall blocking port 443 from your edge to the internal CA, either the web enrollment site hasn't been configured to use https.
i think in your case the certificate won't update automatically

there's information here about port used and renewal methods :
http://technet.microsoft.com/en-us/library/cc784758%28WS.10%29.aspx
http://technet.microsoft.com/en-us/library/cc738405%28WS.10%29.aspx
0
 
LVL 15

Author Comment

by:MarkMichael
ID: 35081393
Lovely, thanks for all that info.

Cheers.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question