-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Kurt Buff Sent: Tuesday, 1 April 2014 11:55 AM To: [email protected] Subject: Re: [NTSysADM] IIS certs expiration and autorenewal from a Windows CA
> I am of the opinion that there shouldn't be any reason why these web sites > don't autorenew their certs, once installed. Auto-renewal isn't a process that looks at the details in the existing cert and says to the CA "give me a new cert with the same properties, except extend the expiry date" Auto-renewal is a process that’s says "based on my user/computer properties, give me a cert with said properties" The issue you have is that certs you've issued for your services are not tied to the user or computer properties per se - they have arbitrary Common Names (for starters). That's not to say you can't setup an automated process that, once a pending cert expiry is detected, creates an appropriate CSR and submits it to your CA, and your CA can be configured to auto-issue the cert. > I'm willing to be schooled on that, but after thinking about it for a while I > can't see any objections - > except perhaps "It can't be done." I don't think it can be done with the built-in auto-renewal process in Windows, because it doesn't do what you think/want it to do. > Asset management - that's a spreadsheet on which assets are tracked, right? :) Not ideal. But you could improve on the idea: e.g. create some formulas that colour-code or highlight the contracts or assets that are reaching EoL. Write a VBScript that queries it every day, and generates an email with things that need to be renewed or a helpdesk ticket, or whatever. Downside to Excel is it might be hard to model different types of items without using different tabs, and you don't get any real referential integrity, and version control is a PITA etc. Cheers Ken > Cheers > Ken > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Kurt Buff > Sent: Tuesday, 1 April 2014 10:03 AM > To: [email protected] > Subject: [NTSysADM] IIS certs expiration and autorenewal from a > Windows CA > > All, > > We had a bit of a scramble when an IIS SSL cert generated by our internal CA > expired, and didn't autorenew. > > Now that I've fixed it, I'm wondering how to set up autorenewal, > > From my reading so far, it looks like I need to set up an SPN for the web > site on the machine account, vis: > http://social.technet.microsoft.com/Forums/windowsserver/en-US/0b43513 > 5-5a90-4957-9bcc-a92b4c519fda/autoenrollment-for-web-server-certificat > es > > and > > http://support.microsoft.com/kb/929650 > > Is this correct, and sufficient? Or do I need to dig a little deeper? > > Kurt > >
