Enable Auto Enrollment to Avoid Expiring Certificates

Its common that sometimes few admins miss the renewal of some key certificates in their Microsoft internal PKI (Public Key Infrastructure), this is due to the fact that its a bit of manual task and you need to set manually some Outlook reminders (My favorite method) or run schedules tasks to remind you before the Certificate expiration date.

However if you a user that logs frequently on this CA (Certificate Authority) server we can enable Auto Enrollment for this user. After configuring it, we don’t need to worry about the expiring certificates as long as the specific user still logs onto the CA.

To Enable Auto Enrollment you need to do the following:

1. Right click on the Certificate Template where you need to enable the Auto Enrollment feature
2. On the Security Tab (Check below image), add a specific user or grant an existing user the Auto Enroll permission (In my case i picked a normal low privileged service account that connects periodically on the server at least each month for maintenance and installing latest windows updates.)                                                                                                                                                                                                                                                                      
   
                                                                                                                                                            
3. Publish the Template and issue the needed certificate.
4. Open the Group Policy Management (On your Domain Controller) and either create a new Group policy or simply edit the Default Domain Policy
5. Navigate to User Configuration - Policies - Windows Settings - Security Settings - Public Key Policy and enable Autoenrollment as shown below. 

This user with the Autoenroll feature enabled when logged in on the CA server will get notified and the certificate will get enrolled and the Certificate won't get expired.

Read More

The Validity Period of an Issued Certificate is Shorter than Configured

I recently passed with couple of scenarios where one of the issued Certificates in Microsoft PKI infrastructure solution has validity period shorter than the period already configured on the template of this certificate. The main reason of changing and increasing the validity period/years for several specific certificates is to avoid frequent renewal process. 

The scenario i passed by recently was when a user duplicated one of the templates and changed the Validity from the default 2 Years to 4 Years and issued the new Certificate however the issued certificate still reads 2 Years. This can be due to one of two reasons

1. The CA certificate period /Remaining Period (CA cannot issue a certificate that is longer than its own CA certificate) is less than the user certificate period. You cannot issue a user certificate which is 10 Years valid if your Root CA is 5 years only.
2. The default Validity Period that is allowed by CA (defined in CA reg)

To check for the CA Certificate period/Duration, you need to do the following

1. Open the CA Console
2. Right Click on the CA - Properties
3. From the General TAB click View Certificate and check the duration.

If the CA Remaining duration is less than the required user certificate duration then you need to increase the CA value and renew the CA certificate as follows:

1. Configure CAPolicy.inf that directly controls CA certificate.
2. Go to C:\Windows Folder, find the file CAPolicy.inf
3. Change the "RenewalValidityPeriodUnits" value to the appropriate period (10 or 15 Years)
4. Restart the CA Service
5. Renew the CA Certificate (Right Click on the CA - All Tasks - Renew CA Certificate)

If the CA Period/Duration is fine and longer than the user certificate need then we need to check the default Validity Period in the CA Registry by doing the following:

1. Open Admin CMD on the CA server and type certutil -getreg ca                                                                                                                                                                                    
2. Check the ValidityPeriodUnits which refers to the maximum period that this CA can issue. You can define this value according to your own requirements, but it won’t exceed the lifetime of CA.
3. From the Same CMD run certutil -setreg ca\ValidityPeriodUnits 5 (This will increase the validity to 5 years)
4. Stop and restart CA service.

Now try again to Enroll certificate again from client to check the validity period.

Read More

How to Publish New Certificate Revocation List (CRL) from Offline Root CA to Active Directory and Inetpub

Its highly recommended when building your Microsoft PKI (Public Key Infrastructure) to have your Root CA offline after issuing the Enterprise Sub CA certificates. Its recommended to minimize the access to the Offline Root CA as possible. The Root CA is not a domain joined machine and can be turned off without any problem.

One of the Key issue is the CRL generated from the Root CA, you need to set the CRL interval for a large value so that we don’t need to copy the CRL to an online location frequently and do not implement delta CRLs, because the publication of each delta CRL would require access to the offline root CA in order to copy the delta CRL to an online publication location. In order to change the CRL interval you need to:

1. Turn on the Offline Root CA and login with Admin account
2. Open the Certification Authority Console
3. Right Click on the "Revoked Certificates" and click Properties.
4. Set “CRL Publish interval” to a large value (Default is 26 Weeks) and  uncheck “Publish Delta CRL” check-box.

In order to Publish a new CRL from the offline Root CA to the Enterprise Sub CA you need to do the following:

1. Publish a new CRL on the Root CA, this can be done by Right Click the "Revoked Certificates" - All Tasks - Publish                                                                                                                                                                                                                                                          
   
                                                                                                                                                                    
2. Copy the CRL file from the Root CA located under %systemroot%\system32\certsrv\certenroll to the Sub CA Server
3. Turn off the Root CA
4. Copy the above file to the InetPub folder (HTTP Path) in the Sub CA server which is by default located under the C:\inetpub\wwwroot\Certdata
5. Open an Admin Command Prompt and run the following command to publish it to the Active Directory (LDAP Path).                                                                                           certutil -f -dspublish " C:\Inetpub\wwwroot\certdata\RootCA.crl

This process of renewing the CRL and publishing a new one is manually done since the Root CA is offline and thats why its better to make the CRL publish interval more than the default value so you won't do it frequently. You may also want to set an automated reminder before the next renewal date.

Read More

How to Manually Delete Old/Empty WSUS computer Group from Database

Recently i was trying to delete/Remove one of the old computer groups under WSUS Console - Computers - All Computers. This Group was an old group with no members/Clients or any pending approvals any more. I tried removing it from the GUI by Right licking the object and Delete but the server hanged and i got connection error as shown below.

This problem might occur in WSUS servers utilizing the internal DB which has several limits and with the huge number of updates and many groups you can face such issue.

To solve this problem and manually remove this Group you will need to work it from the database and edit couple of tables as follows:

1. Make Sure to take a backup from your WSUS server and WSUS DB.
2. Use SQL Management Studio to connect to Windows internal database \\.\pipe\MSSQL$Microsoft##SSEE\sql\query
3. We will mainly remove the old records from tbtargetgroupand tbflattenedtargetgroup tables
4. Run “select * from tbtargetgroup” to get the list of groups.
5. Identify the TargetGroupID of one of the groups that you want to delete
6. Run delete from tbflattenedtargetgroup where TargetGroupID = ‘<TargetGroupID for the group which is to be removed>’
7. Run delete from tbdeployment where targetgroupid = ‘<Previous step ID>’
8. Run delete from tbtargetgroup where TargetGroupID = ‘<Previous same ID>’

This should take care of the deletion of these groups. Again its always required to ensure you have full backup from your DB.

Read More