Implementing Certificate Autoenrollment and Automatic Rebind for IIS (TLS/Server Auth) Certificates

Background

In this blog posting I will cover the steps to enable autoenrollment for TLS certificates. Basically, in order to get this working you need to perform the following steps: configure autoenrollment GPO, create a certificate template with the proper settings, enroll for a certificate, configure IIS to use that certificate, and then enable re-binding in IIS.

This will allow you to request the TLS or Server Auth certificate once and then have it automatically renew and have IIS automatically use (rebind) to the new certificate. This eliminates the need to manually re-enroll for certificates.

Configuring Autoenrollment

In order for TLS certificates to be renewed autoenrollment must be enabled via GPO. This section covers configuring the Autoenrollment GPO

Step 1: Open the Group Policy Management Tool (gpmc.msc)

Step 2: Name the GPO and click OK

Step 3: Locate the new GPO

Step 4: Right-click on the GPO and select Edit from the context menu

Step 5: Navigate to \Computer Configuration\Windows Settings\Security Settings\Public Key Policies

Step 6: In the right-hand pane select the setting Certificate Services Client – Auto-Enrollment

Step 7: Double-click on this setting to open its properties

Step 8: Set the Configuration Model to Enabled

Step 9: Select Renew expired certificates, update pending certificates, and remove revoked certificates

Step 10: Select Update certificates that use certificate templates

Certificate Template

You can re-configure an existing Web Server template or create a new one to enable the autoenrollment permissions. In the example below the process for creating a new certificate template is demonstrated

Step 1: Open certtmpl.msc

Step 2: Right-click on the Web Server certificate template and select Duplicate Template from the context menu

Step 3: Provide a name for the new certificate template

Step 3: On the Compatibility tab, select Windows Server 2008 R2 for the Certification Authority, and Windows 7 / Server 2008 R2 for the Certificate recipient

Step 4: Navigate to the Subject Name tab

Step 5: Supply in the request should already be selected, but you will need to select Use subject information from existing certificates for autoenrollment renewal requests

Step 6: Navigate to the Security tab

Step 7: Click Add…

Note: In this example I will be using the name of my web server. This is obviously not a scalable solution. In an enterprise environment you would want to use a security group that contains the web servers.

Step 8: Add the computer or group name and click OK. If using computer name, you will need to click on Object Types… and select Computers

Step 9: Select either the computer or group you added and select Allow permissions for Read, Enroll, and Autoenroll

Step 10: Click OK

Adding the Certificate Template to the CA(s)

You will need to add the template to an Enterprise CA to support enrollment

Step 1: Open the Certification Authority MMC (certsrv.msc)

Step 2: Right-click on Certificate Templates and from the context menu select New and then Certificate Template to Issue

Step 3: Select the newly created Web Server template and then click OK

Enrolling for the New Web Server Certificate Template

This document covers automatically renewing a TLS certificate and re-binding it in IIS. However, you must have an existing certificate to renew. Autoenrollment in this instance cannot be used to request the initial certificate, because web sites you custom names that must be specified during enrollment.

Step 1: Open the Certificates MMC targeted to the Local Computer (certlm.msc)

Step 2: Right-click on Personal and from the context menu select All Tasks and then Request New Certificate…

Step 3: The Certificate Enrollment Wizard will open, click Next

Step 4: On the Select Certificate Enrollment Policy page of the wizard, click Next

Step 5: On the Request Certificate page of the wizard click on the blue link (More information is required to enroll for this certificate. Click here to configure settings.)

Step 6: On the Subject tab, under Alternative name change the Type to DNS

Step 7: In the Value field, enter the DNS name that is used by the website/webserver

Step 8: Click Add

Repeat Steps 7 and 8 if you need to add additional names

Step 9: Click OK

Step 9: Select the certificate template and then click Enroll

Step 10: After enrollment completes, click Finish

Verifying Re-bind Step 1 (Optional)

The Verifying Re-bind sections of this document just show the steps to verify autoenrollmant and re-bind is working. You do not need to perform these steps unless you are demoing or troubleshooting this process. Also, the process outlined in this step is viewing the serial number of the certificate in the Certificates MMC. You could also, view the certificate by navigating to the website and clicking the lock icon and viewing the certificate.

Step 1: Locate the certificate that was previously enrolled

Step 2: Open the Detail tab and locate the Serial number field

Step 3: Take note of the serial number by copying and pasting it into a notepad file

Configuring the Certificate in IIS

Step 1: Navigate to Default Web Site

Step 2: Click Bindings…

Step 3: Click Add…

Step 4: Select https from the drop-down menu

Step 5: Select the certificate you previously enrolled from the context menu

Step 6: Click OK

Step 7: Click Close

Step 8: Navigate to the Website you want to protect with the TLS certificate

Step 9: Open SSL settings from the middle pane

Step 10: To require SSL on the Website or Virtual Directory select Require SSL

Enable Certificate Re-binding in IIS

Step 1: Navigate to the server name in IIS Manager

Step 2: In the middle pane open up Server Certificates

Step 3: In the middle pane, select the appropriate certificate

Step 4: In the Actions pane select Enable Automatic Rebind of Renewed Certificates

(Optional) Verifying Re-bind Step 2

The following steps can be re-run after the certificate was supposed to renew to verify the certificate was renewed and re-binded

If testing re-bind you will need to speed up the process of renewal as you may not want to wait a year or so to verify in your pilot that it works

Step 1: Locate the template in Certtmpl.msc

Step 2: Right-click on the template and select Reenroll All Certificate Holders

Step 3: On the Web Server run gpupdate /force or certutil -pule to trigger the autoenrollment client

Step 4: Navigate to the website to https                    

Step 5: Click on the lock icon

Step 6: In the pop up click View certificates

Step 7: Navigate to the Serial number field

Step 8: Take note of the serial number and compare it to the previously recorded serial number and verify that it is a different serial number then the one that was recorded during Verifying Re-bind Step 1

-Chris

Viewing Certificate Requests in the CA Database

Viewing Certificate Requests in the CA Database

In this blog I will show you how to view certificate requests in the CA database. This can be useful when troubleshooting. It is especially helpful if scenarios where you have to identify what process is requesting the certificate.

Step 1: Open the Certification Authority MMC (certsrv.msc)

Step 2: Select the View menu and then Add/Remove Columns…

Step 3: In Available columns select Binary Request and then click Add

Step 4: Click OK

To view a request:

Step 1: Navigate to Issued Certificates

Step 2: Identify the certificate you are interested in viewing its associated request

Step 3: Right-click on the certificate and select All Tasks then Export Binary Data…

Step 4: Select Binary Request

Step 5: Leave View formatted text version of the data as selected

Step 6: Click OK

Now you can view the request and identify information such as the User and Machine that made the request as well as the service that initiated the request

Below is a video that covers the same topic covered in this article:

If there are any topics you would like me to cover in future blog posts, reach out to me through my contact page.

-Chris