Solved

Internal CA - managing certificates

Posted on 2011-03-08
5
1,009 Views
Last Modified: 2012-05-11
Hi all,

We have an Internal CA issuing certificates. However, there are some servers, such as Edge services and a few others that have expired certificates.

How can we manage this from the Internal CA? Is there a console or alerting system to be able to send out alerts of certificates expiring at any point?

Also, should servers that connect directly to the CA auto renew?

Thanks,
Mark
0
Comment
Question by:MarkMichael
  • 3
  • 2
5 Comments
 
LVL 11

Expert Comment

by:Tasmant
ID: 35068607
You could find information for the CA to send email alerts here:
http://technet.microsoft.com/en-us/library/cc773129%28WS.10%29.aspx

But i think you cannot monitor the nearly expired certificates, unless you set reminders in your own Outlook for them. I've always proceed with this way, especially for DMZ servers such Edge or IIS which don't have access directly to the CA.

For auto renew, sure, you could auto renew for internal servers. It wouldn't be a security issue.
0
 
LVL 11

Expert Comment

by:Tasmant
ID: 35068614
0
 
LVL 15

Author Comment

by:MarkMichael
ID: 35069925
How do certificates auto enroll anyway?

Is it an automated task via the HTTP page of the CA?

for example:

Exchange edge has an internal certificate on it.

It can get to http://internalca/certsrv

but not https://internalca/certsrv

Does auto renewal use the HTTP method or is it normally done differently?

The certificate was generated manually, so how does this fair in terms of auto renewing?

Sorry for all the questions!
0
 
LVL 11

Accepted Solution

by:
Tasmant earned 500 total points
ID: 35070316
automatic enrollment usually rely on DCOM and RPC protocol.
you can renew certificate with http, but only manually (unless you use 2008R2 and Windows 7 clients: http://technet.microsoft.com/en-us/library/dd759245.aspx)
if you cannot access https, either you have a firewall blocking port 443 from your edge to the internal CA, either the web enrollment site hasn't been configured to use https.
i think in your case the certificate won't update automatically

there's information here about port used and renewal methods :
http://technet.microsoft.com/en-us/library/cc784758%28WS.10%29.aspx
http://technet.microsoft.com/en-us/library/cc738405%28WS.10%29.aspx
0
 
LVL 15

Author Comment

by:MarkMichael
ID: 35081393
Lovely, thanks for all that info.

Cheers.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now