Working with Internet Information Services (IIS) certificates can be a bit challenging especially during renewal time. Most organizations do not track Web SSL certificates which in turn might expire and cause an unplanned outage. Those who track this information on the other hand, have to make sure certificate are renewed before their expiration period or find ways to notify the application owners of their certification expiration beforehand.
Windows Server 2008 R2 and Windows Server 2012 addresses this issue through Auto-enrollment and Certificate Templates. The Certificate Template’s design includes a new option Use subject information from existing certificates for autorenewal requests. This option allows the certificate to renew automatically, including any information in the Subject Name, or any additional information in Subject Alternate Names fields. This option is available for client certificates installed on computers running Windows 7 or Windows Server 2008 R2 and later.
The Use subject information from existing certificates for autoenrollment renewal requests option causes the certificate enrollment client to read subject name and subject alternative name information from an existing computer certificate based on the samecertificate template when creating renewal requests automatically or using the Certificates snap-in. This applies to computer certificates that are expired, revoked, or within their renewal period.
The Autoenrollment Group Policy has to be enabled for this feature to work. This feature will also work on certificates issued prior to enabling it. For example, an administrator can change the original template’s settings to include Use subject information from existing certificates for autoenrollment renewal updates after a certificate is issued because the scope of enrollment in a Microsoft PKI is the template. Autoenrollment Group Policy and this feature will allow the certificate to renew in the future without any administrative intervention when the certificate is within the renewal validity period time specified by the template – typically within 20% or less of the certificate’s validity period.
Amer F Kamal
Senior Premier Field Engineer
thank you for your post but how does IIS pickup the new certificate for use? The other thing I want mention is, when you assign a new certificate to the website existing sessions will be disconnected and users might have to re-authenticate depending on your hosting scenario. And with auto-enrollment you can't define a maintenance Windows or predict the certificate renewal happens at a certain time window.
How do you solve issues with certificate renewal in a web server farm using auto-enrollment?
Might you can expand your blog post to address those questions.
Amer Kamal offers a solution to a long-standing request for auto-renewing IIS web server certificates
I see your comment but no link to Amer's solution to Lutz's question. Can you repost?
although the certificate can be renewal automatically, the un-planned downtime will also exist. Don't forget your IIS will not offer an “auto re-binding correct certificate” feature. After certificate expired, you will see a 501 error.
Yes I concur the process is flawed, it does successfully renew the certificate but as the digital fingerprint of the cert is renewed this has to be manually bound to the website its used on using the IIS management console. Has anyone got any bright ideas
that might automate that final step?
How I open this option i dont know please help if anyone there.
Just to close the loop on this line of inquiry, the auto-rebind feature is available in Server 2012 R2 as documented in a newer post -
Will this work With he CEP/CES service as well? Or will it only work when the server har RPC Connection to the CA?
The auto rebind can also be performed via automation engines like Orchestrator. Almost everything can be administratively executed using PowerShell. With the script on hand, you can copy and paste them into Orchestrator to automate the task post trigger.
The trigger would come from a Monitoring System looking for 20%- expiring certificate notice in event logs (event: CertificateServicesClient-Lifecycle-System and CertificateServicesClient-Lifecycle-User ). Once these events are detected, Orchestrator would
receive a notice to start the binding process once the AD CS completed the certificate renewal.