+1 -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Ken Schaefer Sent: Monday, March 31, 2014 8:14 PM To: [email protected] Subject: RE: [NTSysADM] IIS certs expiration and autorenewal from a Windows CA
I think those articles are saying that: a) you need to configure the "web server" template b) this will only work if the URL used by users is the same as the FQDN of the server (as the FQDN will be auto-inserted into the CN= field of the cert) I don't think you need SPNs at all (beyond the defaults that are created when you install IIS. I'm not sure I'd go down this route personally - you can automate the process, but not via auto-enrolment. And certs really should be in your asset management system IMHO - that will alert you to their expiry. Cheers Ken -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Kurt Buff Sent: Tuesday, 1 April 2014 10:03 AM To: [email protected] Subject: [NTSysADM] IIS certs expiration and autorenewal from a Windows CA All, We had a bit of a scramble when an IIS SSL cert generated by our internal CA expired, and didn't autorenew. Now that I've fixed it, I'm wondering how to set up autorenewal, From my reading so far, it looks like I need to set up an SPN for the web site on the machine account, vis: http://social.technet.microsoft.com/Forums/windowsserver/en-US/0b435135-5a90-4957-9bcc-a92b4c519fda/autoenrollment-for-web-server-certificates and http://support.microsoft.com/kb/929650 Is this correct, and sufficient? Or do I need to dig a little deeper? Kurt
