Solved

Certificate Expiration is set for only 1  year for issued certificates in a Windows 2008 Active Directory environment.

Posted on 2011-09-20
7
4,169 Views
Last Modified: 2012-05-12
when I open certificates I have created, the don't expire for 60 years. when I created my duplicate templates in Windows 2008 Certificate Services, my duplicate templates are set for 60 years for computers.
When I deploy my certificate with my templates the workstations and servers show they are only valid for one year?
What gives?
I also noticed when I ran certuil -dspublish on my root certificate, and set it as my trusted RootCA in Group Policy Trusted root authorities, - that my domain controllers only have 1 year before the cert must be renewed.
How do I fix this?
0
Comment
Question by:lanman777
  • 3
  • 3
7 Comments
 
LVL 13

Expert Comment

by:Govvy
ID: 36569818
On the CA Server run certtmpl.msc - locate the certificate template i.e. Domain Controller Authentication and select properties and then increase validity period
0
 

Author Comment

by:lanman777
ID: 36570322
Even if "Publish certificate in Active Directory" is not checked?
0
 
LVL 8

Expert Comment

by:Shmoid
ID: 36571074
Correct. Your certificate templates are stored in Active Directory. More specifically, they are stored in the configuration partition of Active Directory. Even the new templates that you create from existing ones are stored there. The "Publish certificate in Active Directory" item is an attribute of the template but is related to the actual certificates that you create WITH the templates NOT the templates themselves.

Also, you don't really want to use such a long expiration anyway. Especially for machine certs and user certs. They can be setup for auto enrollment so they will renew without much work on your part anyway but they will have new keys. Same thing with the Domain Controllers. They are probably already setup for autoenrollment. Your offline root should have a valididy period of about 20 years, however, you would want to renew it at half it's specified life. Same for the Issuing CA, but 10 years, renewing every 5. The reason for longer validity periods is that these certs are far more protected. That is one of the reasons you take your root offline, to protect the private key.
0
 

Author Comment

by:lanman777
ID: 36571359
My Certificate Services Server I created my RootCA is stand-alone and is offline. I like the two tiered approach of Stand-alone CS to create RootCA and then have my issuing CS on my domain.
How do I validate Autoenrollment for my Domain Controllers?
The domain controllers showed up in my MMC Certificate Authority / Issued Certificates after I ran certutil -dspublish and is the same time I added my Root Certificate to Trusted Root Authorities in Group policies. They showed up with a one year expiration date.
I have increased the validity period as you suggested, but have not checked publish to AD. Will I need to revoke and reissue the certificate for the change to occur on my Domain Controllers?
Do I need to run a comand line for my CRL in 2008? Like I did to publish my root ca?.
How do I do I test CRL in 2008 AD(Certificate Revocation List)?
I made a duplicate template from my computer template, set it to 20 years, checked publish to AD and applied it to a test group of computers. They still show the certificate will expire in one year.
I don't want anything to expire in a year, at least I need to make sure they will autoenrollment is working.

My important requirement will be to create a self signing SSL certificate for a Windows 2003 server running Tomcat 6 that my workstations will access. I will create a request from this server using command line, have my issuing CA sign it and then reimport it. The last thing I want is for this very important SSL certificate to expire in a year or at last renew automatically. Thus the focus I am taking now on the above section.


0
 
LVL 8

Accepted Solution

by:
Shmoid earned 500 total points
ID: 36574674
You’ve asked several question across multiple topics so I’ve quoted your post in sections below and my responses are inline.

My Certificate Services Server I created my RootCA is stand-alone and is offline. I like the two tiered approach of Stand-alone CS to create RootCA and then have my issuing CS on my domain.

I agree. The two tier setup is by far the most common. It provides a great deal of security as well as flexibility and accessibility.

How do I validate Autoenrollment for my Domain Controllers?   The domain controllers showed up in my MMC Certificate Authority / Issued Certificates after I ran certutil -dspublish and is the same time I added my Root Certificate to Trusted Root Authorities in Group policies. They showed up with a one year expiration date.

Your Domain Controllers by default are in a container (group) called Domain Controllers. Likewise, when you install Certificate Services a group of default templates are installed. Depending on the OS of your Domain Controller and the OS of your CA one of the default templates will have auto-enroll configured for that Domain Controller group. That is why they showed up automatically. Also, that template has a default validity period of 1 year.  

I have increased the validity period as you suggested, but have not checked publish to AD. Will I need to revoke and reissue the certificate for the change to occur on my Domain Controllers?

Because these Domain Controller certificates will auto renew you should not change that default validity period unless you have a good reason.  If you have changed that particular template you should change it back. Other templates are more appropriate to change the validity period such as Web Server. Perhaps to two or three years.  

Do I need to run a comand line for my CRL in 2008? Like I did to publish my root ca?.

Yes.  First generate a new CRL with the command:  certutil –CRL
Then publish it to Active Directory with the command: certutil –dspublish -f –dc “dcname.domain.com”

How do I do I test CRL in 2008 AD(Certificate Revocation List)?


You can check your CRL status in the Enterprise PKI snap-in. Launch MMC then add the snap-in. This will display all of your CRL Distribution Points. If one or more are unreachable it will be marked with a red X. When you generate a new CRL it will, by default, be located on your CA at C:\WINDOWS\system32\certsrv\CertEnroll. When you issue the command above it will publish it to Active Directory. That is all you need if only your internal users will validate certificates. However, if you ever expect users external to your network to need to validate one of your certificates you should publish it to an external facing website as well.

I made a duplicate template from my computer template, set it to 20 years, checked publish to AD and applied it to a test group of computers. They still show the certificate will expire in one year. I don't want anything to expire in a year, at least I need to make sure they will autoenrollment is working.

Okay, several points to be made here. First, you probably don’t want your certificates to have validity periods that long. As mentioned previously 1 to 3 years is typical. Five years in not out of the question in low security scenarios but other than your CA’s certificates anything longer is a real stretch. It is basically defeating the purpose of Certificate Services.

Second, I think you are misunderstanding the use of the check box for Publish to AD. That simply means that when a certificate is generated using the template that has that check. The certificate will be published to Active Directory. It has nothing to do with getting the certificate to the machine nor does it have anything to do with auto-enrollment.  When used it simply means that the subject of the certificate (whether a user or computer) has a public key added to their Active Directory object.

Finally, to make auto-enrollment work you only need to add an appropriate User or Group to the ACL of the necessary template. For example, add Domain Computers group to the ACL for the Computer template and select Read, Enroll and Auto-enroll as permissions for that group.  Once replicated (which in a small environment should be almost instant) any domain joined computer should get a certificate.  As stated previously, that is what happened with your Domain Controllers because they were in a  group that by default had auto-enroll permission to the Domain Controller template.

My important requirement will be to create a self signing SSL certificate for a Windows 2003 server running Tomcat 6 that my workstations will access. I will create a request from this server using command line, have my issuing CA sign it and then reimport it. The last thing I want is for this very important SSL certificate to expire in a year or at last renew automatically. Thus the focus I am taking now on the above section

Okay, self-signed and CA issued certificates are two different things. You don’t want a self-signed cert.  I’ll mention once again that you DO want your certificates to have a fairly short validity period. I understand that you are concerned about it expiring in a year but that is the nature of PKI. Certificate management is part of the process. Unfortunately, auto-enrollment will not work for Apache Tomcat. Tomcat uses the Java Keystore not the Microsoft keystore. As such you will need to manually update this certificate. I know that’s a pain but if you are concerned about your traffic being secure you should follow best practice. I have some systems that we renew the certificates every three months.

One last thing. Be sure to select Base 64 when downloading the signed certificate for Tomcat. Also, be sure you import your CA’s certificate chain into the java keystore for Tomcat or you will get errors.
0
 

Author Comment

by:lanman777
ID: 36584094
Ok, thanks! I greatly appreciate your help!

Regarding my RootCA , what is best practice for validity for my ROOTCA certificate I created from my stand-alone server? Do I have to revoke it and create a new from from my stand-alone CA?
Or can I use the cstutil command and change the validity period for my ROOTCA to 5 or 10 years?
0
 
LVL 8

Expert Comment

by:Shmoid
ID: 36584781
First, you cannot issue a certificate with a validity period that extends past the expiration of it's parent. So you first need to update the cert on your offline root. Then issue a new cert to the subordinate CA.  
0

Join & Write a Comment

Synchronize a new Active Directory domain with an existing Office 365 tenant
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now