Guess I'll have to look at some scripting. On Mar 31, 2014 6:15 PM, "Ken Schaefer" <[email protected]> wrote:
> > > -----Original Message----- > From: [email protected] [mailto: > [email protected]] On Behalf Of Kurt Buff > Sent: Tuesday, 1 April 2014 11:55 AM > To: [email protected] > Subject: Re: [NTSysADM] IIS certs expiration and autorenewal from a > Windows CA > > > I am of the opinion that there shouldn't be any reason why these web > sites don't autorenew their certs, once installed. > > Auto-renewal isn't a process that looks at the details in the existing > cert and says to the CA "give me a new cert with the same properties, > except extend the expiry date" > > Auto-renewal is a process that’s says "based on my user/computer > properties, give me a cert with said properties" > > The issue you have is that certs you've issued for your services are not > tied to the user or computer properties per se - they have arbitrary Common > Names (for starters). > > That's not to say you can't setup an automated process that, once a > pending cert expiry is detected, creates an appropriate CSR and submits it > to your CA, and your CA can be configured to auto-issue the cert. > > > I'm willing to be schooled on that, but after thinking about it for a > while I can't see any objections - > > except perhaps "It can't be done." > > I don't think it can be done with the built-in auto-renewal process in > Windows, because it doesn't do what you think/want it to do. > > > Asset management - that's a spreadsheet on which assets are tracked, > right? :) > > Not ideal. > > But you could improve on the idea: e.g. create some formulas that > colour-code or highlight the contracts or assets that are reaching EoL. > Write a VBScript that queries it every day, and generates an email with > things that need to be renewed or a helpdesk ticket, or whatever. > Downside to Excel is it might be hard to model different types of items > without using different tabs, and you don't get any real referential > integrity, and version control is a PITA etc. > > Cheers > Ken > > > > > Cheers > > Ken > > > > -----Original Message----- > > From: [email protected] > > [mailto:[email protected]] On Behalf Of Kurt Buff > > Sent: Tuesday, 1 April 2014 10:03 AM > > To: [email protected] > > Subject: [NTSysADM] IIS certs expiration and autorenewal from a > > Windows CA > > > > All, > > > > We had a bit of a scramble when an IIS SSL cert generated by our > internal CA expired, and didn't autorenew. > > > > Now that I've fixed it, I'm wondering how to set up autorenewal, > > > > From my reading so far, it looks like I need to set up an SPN for the > web site on the machine account, vis: > > http://social.technet.microsoft.com/Forums/windowsserver/en-US/0b43513 > > 5-5a90-4957-9bcc-a92b4c519fda/autoenrollment-for-web-server-certificat > > es > > > > and > > > > http://support.microsoft.com/kb/929650 > > > > Is this correct, and sufficient? Or do I need to dig a little deeper? > > > > Kurt > > > > > > >
