Why Isn’t My ADCS Autoenrollment Renewing My SAN Web Server Certificate?

0
7
Asked By CloudyPixel21 On

I'm encountering issues with the auto-renewal of a Web Server certificate that's set up for HTTPS using Subject Alternative Names (SANs) in Active Directory Certificate Services (ADCS). I've configured auto-enrollment through Group Policy, but it doesn't seem to be working. Here's the situation:

I've set this up for testing, and the certificate has a validity period of just one week with a renewal period of four days. The template uses 'Supply in the request' to accommodate multiple SANs. The certificate appears valid and functions correctly, but the auto-renewal isn't triggering as expected.

I've checked everything — the correct permissions are set for the group containing the server, and the GPO configuration is properly applied. Even after rebooting and troubleshooting using certutil, there are no signs of auto-enrollment events related to renewal, although a similar Kerberos authentication template seems to renew just fine. I'm curious about what conditions could lead to the auto-enrollment ignoring a valid certificate renewal, particularly for web server templates.

If needed, I'm happy to share additional diagnostic outputs or screenshots to help clarify the issue.

2 Answers

Answered By AdminWarrior99 On

You might want to consider the validity duration you're using for testing. The rule of thumb is the renewal period should be 80% of the certificate's total lifespan. Since you're using a week for validity and four days for renewal, auto-renewal can only kick in from about day 5.6 onwards. It might be better to use a two-day validity with four-hour renewal for testing.

Also, make sure you have 'Use subject information from existing certificates for autoenrollment renewal requests' checked in your settings. Just be cautious with this option as it may present some security risks.

One more thing — if you have multiple certificates based on the same template, only the first one will auto-renew, so check on that too!

CloudyPixel21 -

Thanks for the insight! I'll adjust the validity to 2 days and the renewal to 4 hours in my lab. Regarding the multiple certificates issue, we only use one certificate per web server, so that shouldn't be a problem.

Answered By SysAdminGuru77 On

I didn’t realize a manually requested certificate that uses 'Supply in request' could even auto-renew. My suggestion would be to adjust the template to allow for a longer lifespan, like 10 years, and see if that resolves the issue. If your server lasts that long, you’ll likely have other problems to deal with anyway!

CloudyPixel21 -

That's an interesting perspective! However, I have been able to auto-renew similar certificates (like on Kerberos) even when they were manually enrolled initially. They keep their SANs intact, so I think it might be something template-specific.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.