Have certificate holders automatically renew all certificates issued for a certificate template

When operating a certification authority, it may be necessary to renew all issued certificates for a specific certificate template, for example due to major configuration changes or a change of the issuing certification authority. The following describes a mechanism with which this can be achieved automatically.

Implementation

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

Provided that the certificate template has been configured for automatic application (autoenrollment), this process can be used for automatic renewal.

The certificate templates have a "version" attribute which can be used for this function.

  • The "Minor Version Number", i.e. the number after the dot, is incremented each time the certificate template is changed.
  • The "Major Version Number", i.e. the number before the dot, can be increased manually by the administrator of the certificates. If the number is increased, the minor version number is reset to 0.

In an issued certificate, the version numbers can be found in the "Certificate Template Information" extension along with the Object Identifier (OID) for the certificate template.

Based on this information, the Autoenrollment process now compare the actual status in the certificate store with the target status in the Active Directory. If the local certificate has a lower Major Version Number than in the certificate template, a certificate request is automatically made.

The administrator of a certificate template can trigger the increase of the Major Version Number by right-clicking and selecting "Reenroll All Certificate Holders".

The Major Version Number should now have been increased and the Minor Version Number reset to 0.

After the autoenrollment process has been triggered, a new certificate should have been requested. The previous certificate is archived so that it can no longer be used.

However, revocation of the previous certificates is not automatically performed by the certification authority.

Related links:

One thought on “Alle für eine Zertifikatvorlage ausgestellten Zertifikate automatisch von den Zertifikatinhabern erneuern lassen”

Comments are closed.

en_USEnglish