Automatically Renewing User Certificates from Inhouse CA?

[mvanzwieten]

Hi Everyone,

I'm running a Win2k CA inhouse tied directly into Active Directory. In
order to make use of EAP/TLS over VPN, I've logged onto local user's
laptops, and downloaded user certificates for them from the CA webpage
onto their laptops, and they use these certs when connecting through
the VPN.

The issue is this... The certificates are only good for 1 year. They
do not renew themselves when they expire, and basically lock the person
out from even using EAP/TLS over VPN after they expire.

In order to get them working again, we have to manually browse over to
the CA webpage, and download a new user cert all over again, deleting
the old one that still sitting there, expired.

Is there anyway to automatically make these user certs renew, or
possibly force a renewal of that user cert on that machine?

I would appreciate your advice!

Thank you,
Mike

 

[Steven L Umbach]

There is no way to automatically renew certificates in Windows 2000. You
will have to come up with a plan to have the users renew or obtain a new
certificate before their certificate expires. Windows 2003 Enterprise CA
when installed on Windows 2003 Enterprise Server allows the use of version 2
templates that can automatically enroll and renew user certificates. You can
use a Windows 2003 Enterprise CA in a Windows 2000 domain if you first
upgrade the forest schema. Only Windows XP Pro domain client computers can
use autoenrollment however. I believe you can also modify the registry on a
Windows 2000 CA in order to extend the life of the user certificates out to
two years for those issued after the registry mod. --- Steve

 

[mvanzwieten]

Thank you very much Steve... I was wondering if you could answer this
other question I had about certificates?

Is there any way for me to request a user certificate on their behalf,
and be able to physically send that certificate file to them via email?
It seems to me like the only person that can physically handle this
certificate would be the actual user themselves, needing to be logged
in as this user in order to request and receive the certificate? You
would think that as an admin, I could say "OK, let me select this
user's certificate, and let me save it, so I can email it to them"...
I'm not sure if this can be done, please let me know what you think?

Thanks again,
Mike

 

[mvanzwieten]

Sorry... the other question I had for you was whether you know where to
find this registry entry that would allow me to increase the cert time?
I searched far & wide, as well as the KB's, with no luck. If you have
a good idea where to find that, please let me know...

Thanks again,
Mike

 

[Steven L Umbach]

Well I think you could logon to a computer as that user, use Web Enrollment
to request the certificate, and then use mmc certificates snapin for user
certificates, go to the personal/certificates folder, and then export that
user's certificate and private to a password protected .pfx file. When you
do such be sure to select to export the certificate change and do not select
strong private key protection unless you need to enable it. If you can not
export the user's private key then you will have to make an advanced
request, select user certificate and then select make private key
exportable. Then you can send the certificate to a user and provide then
with the password for the .pfx file which you may not want to do over email
which usually is sent in clear text.

I have not tried this myself and you may want to try it where you enable the
Exchange user certificate template in the CA Management Console [policy
settings/new - certificate to issue]. Then use Web Enrollment for advanced
request, select Exchange user, and then you can enter a user's name being
sure to select that the private keys are exportable. Then go to your mmc
certificates snapin for user and find the certificate and export it and the
private key to a .pfx file. This may or may not work for your situation but
if it does it will make it easier for you to request certificates for users.
Be sure to test it out for a couple users before doing it for one hundred
and finding out it does not work for what you need. The link below is what
you requested in your other post. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;254632

 

[Steven L Umbach]

Yikes. I need to learn to spell better. "be sure to select to export the
certificate change" should read "be sure to select to export the certificate
chain". The reason is that the CA's certificate will also be exported with
the .pfx file so that the computer that the .pfx file is imported into will
then be able to trust your CA. --- Steve

Well I think you could logon to a computer as that user, use Web
Enrollment to request the certificate, and then use mmc certificates
snapin for user certificates, go to the personal/certificates folder, and
then export that user's certificate and private to a password protected
.pfx file. When you do such be sure to select to export the certificate
change and do not select strong private key protection unless you need to
enable it. If you can not export the user's private key then you will have
to make an advanced request, select user certificate and then select make
private key exportable. Then you can send the certificate to a user and
provide then with the password for the .pfx file which you may not want to
do over email which usually is sent in clear text.

I have not tried this myself and you may want to try it where you enable
the Exchange user certificate template in the CA Management Console
[policy settings/new - certificate to issue]. Then use Web Enrollment for
advanced request, select Exchange user, and then you can enter a user's
name being sure to select that the private keys are exportable. Then go to
your mmc certificates snapin for user and find the certificate and export
it and the private key to a .pfx file. This may or may not work for your
situation but if it does it will make it easier for you to request
certificates for users. Be sure to test it out for a couple users before
doing it for one hundred and finding out it does not work for what you
need. The link below is what you requested in your other post. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;254632

Thank you very much Steve... I was wondering if you could answer this
other question I had about certificates?

Is there any way for me to request a user certificate on their behalf,
and be able to physically send that certificate file to them via email?
It seems to me like the only person that can physically handle this
certificate would be the actual user themselves, needing to be logged
in as this user in order to request and receive the certificate? You
would think that as an admin, I could say "OK, let me select this
user's certificate, and let me save it, so I can email it to them"...
I'm not sure if this can be done, please let me know what you think?

Thanks again,
Mike

 

[mvanzwieten]

Thanks very much for all your help, Steve. It sounds like for now, I'll
need to either make a guide for users to renew their certificates
themselves, or just grab one for them and email it over (more of a pain
in the a$$).

This is a rather good article that goes over certificates in Win2k3,
and making them autoenroll... Someday we'll have that.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/rmotevpn.mspx

Thanks again,
Mike

 

[Steven L Umbach]

OK. Sounds good. Yes autoenrollment will make your life much simpler. ---
Steve