Internal CA - managing certificates
We have an Internal CA issuing certificates. However, there are some servers, such as Edge services and a few others that have expired certificates.
How can we manage this from the Internal CA? Is there a console or alerting system to be able to send out alerts of certificates expiring at any point?
Also, should servers that connect directly to the CA auto renew?
Thanks,
Mark
Who is Participating?
Experts Exchange Solution brought to you by
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
Is it an automated task via the HTTP page of the CA?
for example:
Exchange edge has an internal certificate on it.
It can get to http://internalca/certsrv
but not https://internalca/certsrv
Does auto renewal use the HTTP method or is it normally done differently?
The certificate was generated manually, so how does this fair in terms of auto renewing?
Sorry for all the questions!
you can renew certificate with http, but only manually (unless you use 2008R2 and Windows 7 clients: http://technet.microsoft.com/en-us/library/dd759245.aspx)
if you cannot access https, either you have a firewall blocking port 443 from your edge to the internal CA, either the web enrollment site hasn't been configured to use https.
i think in your case the certificate won't update automatically
there's information here about port used and renewal methods :
http://technet.microsoft.com/en-us/library/cc784758%28WS.10%29.aspx
http://technet.microsoft.com/en-us/library/cc738405%28WS.10%29.aspx
Experts Exchange Solution brought to you by
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trialIt's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
From novice to tech pro — start learning today.
-
Microsoft ApplicationsCertification: MOS Microsoft Office Specialist - Excel 2013 Part … 176 lessons
-
Microsoft ApplicationsCertification: MOS Microsoft Office Specialist - PowerPoint 2013… 214 lessons
Experts Exchange Solution brought to you by
http://technet.microsoft.com/en-us/library/cc773129%28WS.10%29.aspx
But i think you cannot monitor the nearly expired certificates, unless you set reminders in your own Outlook for them. I've always proceed with this way, especially for DMZ servers such Edge or IIS which don't have access directly to the CA.
For auto renew, sure, you could auto renew for internal servers. It wouldn't be a security issue.