Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!

A Stepwise Guide To Renew Certificates On Microsoft CA.

Key Points
  • Microsoft CA provides for auto-enrollment of certificates with GPO. You must configure an auto-enrollment policy and certificate templates.
  • A major drawback of Microsoft CA is that it lets you auto-enroll only with AD-CS and GPO, and it is vendor-agnostic.
  • SecureW2s PKI integrates with your existing infrastructure and instantly lets your devices connect with any cloud IDP or MDM for easy certificate enrollment and auto-renewal.

Organizations can leverage digital certificates to build a robust network, as certificates use public-private key encryption to encrypt information sent securely over-the-air. Managing digital certificates for a smaller organization is more accessible, but a bigger organization needs a PKI for effective certificate management. A PKI makes the process of managing certificates easier by automating the process of issuing and revoking certificates to enable passwordless authentication for an ironclad network.

Read to learn how an Australian real estate giant leveraged cloud-based PKI to deploy CBA.

Effective certificate lifecycle management involves issuance and validation, effective revocation, and timely renewal. When a certificate is revoked due to expiration or manual revocation, there should be a mechanism to renew certificates automatically with the existing configuration. This guide demonstrates how to renew certificates in a PKI  and alternative methods that may work better for your organization.

How To Renew Certificates on a Microsoft PKI

The exact method for generating certificate renewal requests will vary depending on the provider you have and the operating system you are using. Generally, it can be summarized in four steps:

  1. Generate a new CSR (Certificate Service Request)
    1. Your vendor will provide you with a CSR code, which looks like this:
      1. NOTE: Keep this code handy because you’ll need it to re-activate your certificate.
  2. Activate your certificate by providing the encoded CSR code.
  3. Validate your certificate through the following:
    1. Email validation
    2. HTTP validation
    3. DNS validation
  4. Install your certificate onto your device
    1. This varies in difficulty depending on your vendor and OS

If you just renew one certificate, doing things manually may be the easiest way. However, renewing certificates manually is not a good option for larger organizations. Think about performing each of these steps for each device in a company with a large variation in operating systems. For most, it’s simply not a viable solution.

Renewing Certificates With Microsoft AD CS

Automating the process is one of the best solutions to counteract unknown expired certificates. Certificate auto-enrollment was first introduced in Windows 2000 and was greatly enhanced over time by adding new features and usage scenarios. Windows 10 and Windows Server 2016 support the capability to automatically renew expired certificates for users and devices for AD environments.

Microsoft provides certificate auto-enrollment that can be configured with GPO. This allows devices to automatically enroll for a new certificate when the current one is about to expire. For this to work, you must configure an auto-enrollment policy and certificate templates. Templates need to be set with the correct permissions, such as “Read and Enroll.” Remember to use security groups if you are granting template permissions. Once the templates have been configured, add them to your Enterprise CA to begin auto-enrollment.

Unfortunately, the auto-enrollment process can only be done with GPO and AD CS certificate templates. If you have non-AD devices or MDMs, SecureW2’s software can integrate with any MDM (Jamf, Airwatch, Mobile Iron, etc.) and push out renewal policies.

Renewing Certificates With SecureW2

Microsoft CA’s use templates for certificate validity, and the 2000 and 2003 servers don’t allow validity template modification.

With SecureW2, certificate templates can be configured so certificates stay valid for years. A practical example could be for a university where you could easily set up group policies so that when users enroll for a certificate, your system automatically issues 4-year certificates to students and 8-year certificates to faculty and staff.

Expiry Notifications For BYODs

Sending out automated certificate expiration notifications is critical to maintaining a secure network. You may recall the Experian Data Breach in 2017, where a certificate that expired without anyone noticing was one of the main factors for the beach.

We recommend all our customers use our automated certificate expiration notification emails. When you generate a CA with SecureW2, you can select when and how often end users will be notified when their certificates are about to expire. The screen above shows the available interval options (shown in days). SecureW2 will automatically email end users when a certificate expires and instruct them on how to re-enroll.

Auto-Enroll Managed Devices With SecureW2

SecureW2 takes advantage of SCEP (Simple Certificate Enrollment Protocol), which can simplify the enrollment process so that you can enroll any device for a certificate without any user interactions.

SCEP uses a URL and a shared secret with the certificate authority to communicate with a PKI. Mobile Device Management (MDM) software commonly uses SCEP for devices by pushing a payload containing the SCEP URL and sharing the secret with managed devices.

The SecureW2 Management Portal has the necessary components to deploy a SCEP Gateway with any major MDM in less than an hour. With SCEP, you can easily configure enrollment policies that auto-renew certificates for managed devices as soon as they expire. This removes any chance of forgetting an expired certificate, and with our GUI, you can monitor all your active certificates to ensure nothing falls between the gaps.

Use SecureW2s PKI to Manage Certificates Efficiently

Deploying a PKI is traditionally considered a cumbersome process that requires time and a lot of manpower. It also requires a high installation cost, regular maintenance, and space management to keep it secure. However, a Cloud-based PKI integrates with your existing infrastructure without needing forklift upgrades. It connects with significant identity providers and MDMs and can quickly connect to your network. 

A Cloud PKI is managed by a vendor, thus saving you money and time in maintenance activities. With a cloud-based PKi, managing digital certificates is a breeze. Users and devices with digital certificates are protected from MITM and over-the-air attacks, and organizations can rest assured they get a secure network.

Click here to learn more about our passwordless security options for your organization. 

 

 

Tags: azure
Learn about this author

Eytan Raphaely

Eytan Raphaely is a digital marketing professional with a true passion for writing things that he thinks are really funny, that other people think are mildly funny. Eytan is a graduate of University of Washington where he studied digital marketing. Eytan has diverse writing experience, including studios and marketing consulting companies, digital comedy media companies, and more.

A Stepwise Guide To Renew Certificates On Microsoft CA.