Background
In this blog posting I will cover the steps to enable autoenrollment for TLS certificates. Basically, in order to get this working you need to perform the following steps: configure autoenrollment GPO, create a certificate template with the proper settings, enroll for a certificate, configure IIS to use that certificate, and then enable re-binding in IIS.
This will allow you to request the TLS or Server Auth certificate once and then have it automatically renew and have IIS automatically use (rebind) to the new certificate. This eliminates the need to manually re-enroll for certificates.
Configuring Autoenrollment
In order for TLS certificates to be renewed autoenrollment must be enabled via GPO. This section covers configuring the Autoenrollment GPO
Step 1: Open the Group Policy Management Tool (gpmc.msc)

Step 2: Name the GPO and click OK

Step 3: Locate the new GPO
Step 4: Right-click on the GPO and select Edit from the context menu

Step 5: Navigate to \Computer Configuration\Windows Settings\Security Settings\Public Key Policies
Step 6: In the right-hand pane select the setting Certificate Services Client – Auto-Enrollment
Step 7: Double-click on this setting to open its properties

Step 8: Set the Configuration Model to Enabled
Step 9: Select Renew expired certificates, update pending certificates, and remove revoked certificates
Step 10: Select Update certificates that use certificate templates

Certificate Template
You can re-configure an existing Web Server template or create a new one to enable the autoenrollment permissions. In the example below the process for creating a new certificate template is demonstrated
Step 1: Open certtmpl.msc
Step 2: Right-click on the Web Server certificate template and select Duplicate Template from the context menu

Step 3: Provide a name for the new certificate template

Step 3: On the Compatibility tab, select Windows Server 2008 R2 for the Certification Authority, and Windows 7 / Server 2008 R2 for the Certificate recipient

Step 4: Navigate to the Subject Name tab
Step 5: Supply in the request should already be selected, but you will need to select Use subject information from existing certificates for autoenrollment renewal requests

Step 6: Navigate to the Security tab
Step 7: Click Add…

Note: In this example I will be using the name of my web server. This is obviously not a scalable solution. In an enterprise environment you would want to use a security group that contains the web servers.
Step 8: Add the computer or group name and click OK. If using computer name, you will need to click on Object Types… and select Computers

Step 9: Select either the computer or group you added and select Allow permissions for Read, Enroll, and Autoenroll
Step 10: Click OK

Adding the Certificate Template to the CA(s)
You will need to add the template to an Enterprise CA to support enrollment
Step 1: Open the Certification Authority MMC (certsrv.msc)
Step 2: Right-click on Certificate Templates and from the context menu select New and then Certificate Template to Issue

Step 3: Select the newly created Web Server template and then click OK

Enrolling for the New Web Server Certificate Template
This document covers automatically renewing a TLS certificate and re-binding it in IIS. However, you must have an existing certificate to renew. Autoenrollment in this instance cannot be used to request the initial certificate, because web sites you custom names that must be specified during enrollment.
Step 1: Open the Certificates MMC targeted to the Local Computer (certlm.msc)
Step 2: Right-click on Personal and from the context menu select All Tasks and then Request New Certificate…

Step 3: The Certificate Enrollment Wizard will open, click Next

Step 4: On the Select Certificate Enrollment Policy page of the wizard, click Next

Step 5: On the Request Certificate page of the wizard click on the blue link (More information is required to enroll for this certificate. Click here to configure settings.)

Step 6: On the Subject tab, under Alternative name change the Type to DNS
Step 7: In the Value field, enter the DNS name that is used by the website/webserver
Step 8: Click Add
Repeat Steps 7 and 8 if you need to add additional names
Step 9: Click OK

Step 9: Select the certificate template and then click Enroll

Step 10: After enrollment completes, click Finish

Verifying Re-bind Step 1 (Optional)
The Verifying Re-bind sections of this document just show the steps to verify autoenrollmant and re-bind is working. You do not need to perform these steps unless you are demoing or troubleshooting this process. Also, the process outlined in this step is viewing the serial number of the certificate in the Certificates MMC. You could also, view the certificate by navigating to the website and clicking the lock icon and viewing the certificate.
Step 1: Locate the certificate that was previously enrolled

Step 2: Open the Detail tab and locate the Serial number field
Step 3: Take note of the serial number by copying and pasting it into a notepad file

Configuring the Certificate in IIS
Step 1: Navigate to Default Web Site
Step 2: Click Bindings…

Step 3: Click Add…

Step 4: Select https from the drop-down menu
Step 5: Select the certificate you previously enrolled from the context menu
Step 6: Click OK

Step 7: Click Close

Step 8: Navigate to the Website you want to protect with the TLS certificate
Step 9: Open SSL settings from the middle pane

Step 10: To require SSL on the Website or Virtual Directory select Require SSL

Enable Certificate Re-binding in IIS
Step 1: Navigate to the server name in IIS Manager
Step 2: In the middle pane open up Server Certificates

Step 3: In the middle pane, select the appropriate certificate
Step 4: In the Actions pane select Enable Automatic Rebind of Renewed Certificates

(Optional) Verifying Re-bind Step 2
The following steps can be re-run after the certificate was supposed to renew to verify the certificate was renewed and re-binded
If testing re-bind you will need to speed up the process of renewal as you may not want to wait a year or so to verify in your pilot that it works
Step 1: Locate the template in Certtmpl.msc
Step 2: Right-click on the template and select Reenroll All Certificate Holders

Step 3: On the Web Server run gpupdate /force or certutil -pule to trigger the autoenrollment client
Step 4: Navigate to the website to https
Step 5: Click on the lock icon


Step 6: In the pop up click View certificates

Step 7: Navigate to the Serial number field

Step 8: Take note of the serial number and compare it to the previously recorded serial number and verify that it is a different serial number then the one that was recorded during Verifying Re-bind Step 1

-Chris