Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!
Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!
Act now. This offer ends July 14, 2017.
Course Of The Month
7 days, 2 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Internal CA - managing certificates
Posted on 2011-03-08
Hi all,
We have an Internal CA issuing certificates. However, there are some servers, such as Edge services and a few others that have expired certificates.
How can we manage this from the Internal CA? Is there a console or alerting system to be able to send out alerts of certificates expiring at any point?
Also, should servers that connect directly to the CA auto renew?
Thanks,
Mark
We have an Internal CA issuing certificates. However, there are some servers, such as Edge services and a few others that have expired certificates.
How can we manage this from the Internal CA? Is there a console or alerting system to be able to send out alerts of certificates expiring at any point?
Also, should servers that connect directly to the CA auto renew?
Thanks,
Mark
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
3-
2
5 Comments
You could find information for the CA to send email alerts here:
http://technet.microsoft.com/en-us/library/cc773129%28WS.10%29.aspx
But i think you cannot monitor the nearly expired certificates, unless you set reminders in your own Outlook for them. I've always proceed with this way, especially for DMZ servers such Edge or IIS which don't have access directly to the CA.
For auto renew, sure, you could auto renew for internal servers. It wouldn't be a security issue.
http://technet.microsoft.com/en-us/library/cc773129%28WS.10%29.aspx
But i think you cannot monitor the nearly expired certificates, unless you set reminders in your own Outlook for them. I've always proceed with this way, especially for DMZ servers such Edge or IIS which don't have access directly to the CA.
For auto renew, sure, you could auto renew for internal servers. It wouldn't be a security issue.
Active 1 day ago
How do certificates auto enroll anyway?
Is it an automated task via the HTTP page of the CA?
for example:
Exchange edge has an internal certificate on it.
It can get to http://internalca/certsrv
but not https://internalca/certsrv
Does auto renewal use the HTTP method or is it normally done differently?
The certificate was generated manually, so how does this fair in terms of auto renewing?
Sorry for all the questions!
Is it an automated task via the HTTP page of the CA?
for example:
Exchange edge has an internal certificate on it.
It can get to http://internalca/certsrv
but not https://internalca/certsrv
Does auto renewal use the HTTP method or is it normally done differently?
The certificate was generated manually, so how does this fair in terms of auto renewing?
Sorry for all the questions!
automatic enrollment usually rely on DCOM and RPC protocol.
you can renew certificate with http, but only manually (unless you use 2008R2 and Windows 7 clients: http://technet.microsoft.com/en-us/library/dd759245.aspx)
if you cannot access https, either you have a firewall blocking port 443 from your edge to the internal CA, either the web enrollment site hasn't been configured to use https.
i think in your case the certificate won't update automatically
there's information here about port used and renewal methods :
http://technet.microsoft.com/en-us/library/cc784758%28WS.10%29.aspx
http://technet.microsoft.com/en-us/library/cc738405%28WS.10%29.aspx
you can renew certificate with http, but only manually (unless you use 2008R2 and Windows 7 clients: http://technet.microsoft.com/en-us/library/dd759245.aspx)
if you cannot access https, either you have a firewall blocking port 443 from your edge to the internal CA, either the web enrollment site hasn't been configured to use https.
i think in your case the certificate won't update automatically
there's information here about port used and renewal methods :
http://technet.microsoft.com/en-us/library/cc784758%28WS.10%29.aspx
http://technet.microsoft.com/en-us/library/cc738405%28WS.10%29.aspx
Featured Post
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention.
Multiple USB devices need t…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders.
Click on Start and then select Computer to view the available drives on the se…
Suggested Courses
Course of the Month7 days, 2 hours left to enroll
Earn Certification
MCSA Configuring Windows 7 Exam 70-680
$49.00$44.10
724 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.