?
Solved

Certificate Expiration is set for only 1  year for issued certificates in a Windows 2008 Active Directory environment.

Posted on 2011-09-20
7
Medium Priority
?
5,262 Views
Last Modified: 2012-05-12
when I open certificates I have created, the don't expire for 60 years. when I created my duplicate templates in Windows 2008 Certificate Services, my duplicate templates are set for 60 years for computers.
When I deploy my certificate with my templates the workstations and servers show they are only valid for one year?
What gives?
I also noticed when I ran certuil -dspublish on my root certificate, and set it as my trusted RootCA in Group Policy Trusted root authorities, - that my domain controllers only have 1 year before the cert must be renewed.
How do I fix this?
0
Comment
Question by:lanman777
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 13

Expert Comment

by:Govvy
ID: 36569818
On the CA Server run certtmpl.msc - locate the certificate template i.e. Domain Controller Authentication and select properties and then increase validity period
0
 

Author Comment

by:lanman777
ID: 36570322
Even if "Publish certificate in Active Directory" is not checked?
0
 
LVL 8

Expert Comment

by:Shmoid
ID: 36571074
Correct. Your certificate templates are stored in Active Directory. More specifically, they are stored in the configuration partition of Active Directory. Even the new templates that you create from existing ones are stored there. The "Publish certificate in Active Directory" item is an attribute of the template but is related to the actual certificates that you create WITH the templates NOT the templates themselves.

Also, you don't really want to use such a long expiration anyway. Especially for machine certs and user certs. They can be setup for auto enrollment so they will renew without much work on your part anyway but they will have new keys. Same thing with the Domain Controllers. They are probably already setup for autoenrollment. Your offline root should have a valididy period of about 20 years, however, you would want to renew it at half it's specified life. Same for the Issuing CA, but 10 years, renewing every 5. The reason for longer validity periods is that these certs are far more protected. That is one of the reasons you take your root offline, to protect the private key.
0
Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

 

Author Comment

by:lanman777
ID: 36571359
My Certificate Services Server I created my RootCA is stand-alone and is offline. I like the two tiered approach of Stand-alone CS to create RootCA and then have my issuing CS on my domain.
How do I validate Autoenrollment for my Domain Controllers?
The domain controllers showed up in my MMC Certificate Authority / Issued Certificates after I ran certutil -dspublish and is the same time I added my Root Certificate to Trusted Root Authorities in Group policies. They showed up with a one year expiration date.
I have increased the validity period as you suggested, but have not checked publish to AD. Will I need to revoke and reissue the certificate for the change to occur on my Domain Controllers?
Do I need to run a comand line for my CRL in 2008? Like I did to publish my root ca?.
How do I do I test CRL in 2008 AD(Certificate Revocation List)?
I made a duplicate template from my computer template, set it to 20 years, checked publish to AD and applied it to a test group of computers. They still show the certificate will expire in one year.
I don't want anything to expire in a year, at least I need to make sure they will autoenrollment is working.

My important requirement will be to create a self signing SSL certificate for a Windows 2003 server running Tomcat 6 that my workstations will access. I will create a request from this server using command line, have my issuing CA sign it and then reimport it. The last thing I want is for this very important SSL certificate to expire in a year or at last renew automatically. Thus the focus I am taking now on the above section.


0
 
LVL 8

Accepted Solution

by:
Shmoid earned 2000 total points
ID: 36574674
You’ve asked several question across multiple topics so I’ve quoted your post in sections below and my responses are inline.

My Certificate Services Server I created my RootCA is stand-alone and is offline. I like the two tiered approach of Stand-alone CS to create RootCA and then have my issuing CS on my domain.

I agree. The two tier setup is by far the most common. It provides a great deal of security as well as flexibility and accessibility.

How do I validate Autoenrollment for my Domain Controllers?   The domain controllers showed up in my MMC Certificate Authority / Issued Certificates after I ran certutil -dspublish and is the same time I added my Root Certificate to Trusted Root Authorities in Group policies. They showed up with a one year expiration date.

Your Domain Controllers by default are in a container (group) called Domain Controllers. Likewise, when you install Certificate Services a group of default templates are installed. Depending on the OS of your Domain Controller and the OS of your CA one of the default templates will have auto-enroll configured for that Domain Controller group. That is why they showed up automatically. Also, that template has a default validity period of 1 year.  

I have increased the validity period as you suggested, but have not checked publish to AD. Will I need to revoke and reissue the certificate for the change to occur on my Domain Controllers?

Because these Domain Controller certificates will auto renew you should not change that default validity period unless you have a good reason.  If you have changed that particular template you should change it back. Other templates are more appropriate to change the validity period such as Web Server. Perhaps to two or three years.  

Do I need to run a comand line for my CRL in 2008? Like I did to publish my root ca?.

Yes.  First generate a new CRL with the command:  certutil –CRL
Then publish it to Active Directory with the command: certutil –dspublish -f –dc “dcname.domain.com”

How do I do I test CRL in 2008 AD(Certificate Revocation List)?


You can check your CRL status in the Enterprise PKI snap-in. Launch MMC then add the snap-in. This will display all of your CRL Distribution Points. If one or more are unreachable it will be marked with a red X. When you generate a new CRL it will, by default, be located on your CA at C:\WINDOWS\system32\certsrv\CertEnroll. When you issue the command above it will publish it to Active Directory. That is all you need if only your internal users will validate certificates. However, if you ever expect users external to your network to need to validate one of your certificates you should publish it to an external facing website as well.

I made a duplicate template from my computer template, set it to 20 years, checked publish to AD and applied it to a test group of computers. They still show the certificate will expire in one year. I don't want anything to expire in a year, at least I need to make sure they will autoenrollment is working.

Okay, several points to be made here. First, you probably don’t want your certificates to have validity periods that long. As mentioned previously 1 to 3 years is typical. Five years in not out of the question in low security scenarios but other than your CA’s certificates anything longer is a real stretch. It is basically defeating the purpose of Certificate Services.

Second, I think you are misunderstanding the use of the check box for Publish to AD. That simply means that when a certificate is generated using the template that has that check. The certificate will be published to Active Directory. It has nothing to do with getting the certificate to the machine nor does it have anything to do with auto-enrollment.  When used it simply means that the subject of the certificate (whether a user or computer) has a public key added to their Active Directory object.

Finally, to make auto-enrollment work you only need to add an appropriate User or Group to the ACL of the necessary template. For example, add Domain Computers group to the ACL for the Computer template and select Read, Enroll and Auto-enroll as permissions for that group.  Once replicated (which in a small environment should be almost instant) any domain joined computer should get a certificate.  As stated previously, that is what happened with your Domain Controllers because they were in a  group that by default had auto-enroll permission to the Domain Controller template.

My important requirement will be to create a self signing SSL certificate for a Windows 2003 server running Tomcat 6 that my workstations will access. I will create a request from this server using command line, have my issuing CA sign it and then reimport it. The last thing I want is for this very important SSL certificate to expire in a year or at last renew automatically. Thus the focus I am taking now on the above section

Okay, self-signed and CA issued certificates are two different things. You don’t want a self-signed cert.  I’ll mention once again that you DO want your certificates to have a fairly short validity period. I understand that you are concerned about it expiring in a year but that is the nature of PKI. Certificate management is part of the process. Unfortunately, auto-enrollment will not work for Apache Tomcat. Tomcat uses the Java Keystore not the Microsoft keystore. As such you will need to manually update this certificate. I know that’s a pain but if you are concerned about your traffic being secure you should follow best practice. I have some systems that we renew the certificates every three months.

One last thing. Be sure to select Base 64 when downloading the signed certificate for Tomcat. Also, be sure you import your CA’s certificate chain into the java keystore for Tomcat or you will get errors.
0
 

Author Comment

by:lanman777
ID: 36584094
Ok, thanks! I greatly appreciate your help!

Regarding my RootCA , what is best practice for validity for my ROOTCA certificate I created from my stand-alone server? Do I have to revoke it and create a new from from my stand-alone CA?
Or can I use the cstutil command and change the validity period for my ROOTCA to 5 or 10 years?
0
 
LVL 8

Expert Comment

by:Shmoid
ID: 36584781
First, you cannot issue a certificate with a validity period that extends past the expiration of it's parent. So you first need to update the cert on your offline root. Then issue a new cert to the subordinate CA.  
0

Featured Post

WatchGuard's M Series Appliances - Miecom Approved

WatchGuard's newest M series appliances were put to the test by Miercom.  We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
Suggested Courses
Course of the Month13 days, 1 hour left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question