Automatically Renewing User Certificates from Inhouse CA?

Archived from groups: microsoft.public.win2000.security (More info?)

Hi Everyone,

I'm running a Win2k CA inhouse tied directly into Active Directory. In
order to make use of EAP/TLS over VPN, I've logged onto local user's
laptops, and downloaded user certificates for them from the CA webpage
onto their laptops, and they use these certs when connecting through
the VPN.

The issue is this... The certificates are only good for 1 year. They
do not renew themselves when they expire, and basically lock the person
out from even using EAP/TLS over VPN after they expire.

In order to get them working again, we have to manually browse over to
the CA webpage, and download a new user cert all over again, deleting
the old one that still sitting there, expired.

Is there anyway to automatically make these user certs renew, or
possibly force a renewal of that user cert on that machine?

I would appreciate your advice! :)

Thank you,
Mike
7 answers Last reply
More about automatically renewing user certificates inhouse
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Thank you very much Steve... I was wondering if you could answer this
    other question I had about certificates?

    Is there any way for me to request a user certificate on their behalf,
    and be able to physically send that certificate file to them via email?
    It seems to me like the only person that can physically handle this
    certificate would be the actual user themselves, needing to be logged
    in as this user in order to request and receive the certificate? You
    would think that as an admin, I could say "OK, let me select this
    user's certificate, and let me save it, so I can email it to them"...
    I'm not sure if this can be done, please let me know what you think?

    Thanks again,
    Mike
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Sorry... the other question I had for you was whether you know where to
    find this registry entry that would allow me to increase the cert time?
    I searched far & wide, as well as the KB's, with no luck. If you have
    a good idea where to find that, please let me know...

    Thanks again,
    Mike
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    There is no way to automatically renew certificates in Windows 2000. You
    will have to come up with a plan to have the users renew or obtain a new
    certificate before their certificate expires. Windows 2003 Enterprise CA
    when installed on Windows 2003 Enterprise Server allows the use of version 2
    templates that can automatically enroll and renew user certificates. You can
    use a Windows 2003 Enterprise CA in a Windows 2000 domain if you first
    upgrade the forest schema. Only Windows XP Pro domain client computers can
    use autoenrollment however. I believe you can also modify the registry on a
    Windows 2000 CA in order to extend the life of the user certificates out to
    two years for those issued after the registry mod. --- Steve


    <mvanzwieten@gmail.com> wrote in message
    news:1111587372.520638.141270@l41g2000cwc.googlegroups.com...
    > Hi Everyone,
    >
    > I'm running a Win2k CA inhouse tied directly into Active Directory. In
    > order to make use of EAP/TLS over VPN, I've logged onto local user's
    > laptops, and downloaded user certificates for them from the CA webpage
    > onto their laptops, and they use these certs when connecting through
    > the VPN.
    >
    > The issue is this... The certificates are only good for 1 year. They
    > do not renew themselves when they expire, and basically lock the person
    > out from even using EAP/TLS over VPN after they expire.
    >
    > In order to get them working again, we have to manually browse over to
    > the CA webpage, and download a new user cert all over again, deleting
    > the old one that still sitting there, expired.
    >
    > Is there anyway to automatically make these user certs renew, or
    > possibly force a renewal of that user cert on that machine?
    >
    > I would appreciate your advice! :)
    >
    > Thank you,
    > Mike
    >
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    Well I think you could logon to a computer as that user, use Web Enrollment
    to request the certificate, and then use mmc certificates snapin for user
    certificates, go to the personal/certificates folder, and then export that
    user's certificate and private to a password protected .pfx file. When you
    do such be sure to select to export the certificate change and do not select
    strong private key protection unless you need to enable it. If you can not
    export the user's private key then you will have to make an advanced
    request, select user certificate and then select make private key
    exportable. Then you can send the certificate to a user and provide then
    with the password for the .pfx file which you may not want to do over email
    which usually is sent in clear text.

    I have not tried this myself and you may want to try it where you enable the
    Exchange user certificate template in the CA Management Console [policy
    settings/new - certificate to issue]. Then use Web Enrollment for advanced
    request, select Exchange user, and then you can enter a user's name being
    sure to select that the private keys are exportable. Then go to your mmc
    certificates snapin for user and find the certificate and export it and the
    private key to a .pfx file. This may or may not work for your situation but
    if it does it will make it easier for you to request certificates for users.
    Be sure to test it out for a couple users before doing it for one hundred
    and finding out it does not work for what you need. The link below is what
    you requested in your other post. --- Steve

    http://support.microsoft.com/default.aspx?scid=kb;en-us;254632


    <mvanzwieten@gmail.com> wrote in message
    news:1111727635.244788.150170@f14g2000cwb.googlegroups.com...
    > Thank you very much Steve... I was wondering if you could answer this
    > other question I had about certificates?
    >
    > Is there any way for me to request a user certificate on their behalf,
    > and be able to physically send that certificate file to them via email?
    > It seems to me like the only person that can physically handle this
    > certificate would be the actual user themselves, needing to be logged
    > in as this user in order to request and receive the certificate? You
    > would think that as an admin, I could say "OK, let me select this
    > user's certificate, and let me save it, so I can email it to them"...
    > I'm not sure if this can be done, please let me know what you think?
    >
    > Thanks again,
    > Mike
    >
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    Yikes. I need to learn to spell better. "be sure to select to export the
    certificate change" should read "be sure to select to export the certificate
    chain". The reason is that the CA's certificate will also be exported with
    the .pfx file so that the computer that the .pfx file is imported into will
    then be able to trust your CA. --- Steve


    "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    news:dcqdnbVJ5rAAMN7fRVn-tw@comcast.com...
    > Well I think you could logon to a computer as that user, use Web
    > Enrollment to request the certificate, and then use mmc certificates
    > snapin for user certificates, go to the personal/certificates folder, and
    > then export that user's certificate and private to a password protected
    > .pfx file. When you do such be sure to select to export the certificate
    > change and do not select strong private key protection unless you need to
    > enable it. If you can not export the user's private key then you will have
    > to make an advanced request, select user certificate and then select make
    > private key exportable. Then you can send the certificate to a user and
    > provide then with the password for the .pfx file which you may not want to
    > do over email which usually is sent in clear text.
    >
    > I have not tried this myself and you may want to try it where you enable
    > the Exchange user certificate template in the CA Management Console
    > [policy settings/new - certificate to issue]. Then use Web Enrollment for
    > advanced request, select Exchange user, and then you can enter a user's
    > name being sure to select that the private keys are exportable. Then go to
    > your mmc certificates snapin for user and find the certificate and export
    > it and the private key to a .pfx file. This may or may not work for your
    > situation but if it does it will make it easier for you to request
    > certificates for users. Be sure to test it out for a couple users before
    > doing it for one hundred and finding out it does not work for what you
    > need. The link below is what you requested in your other post. --- Steve
    >
    > http://support.microsoft.com/default.aspx?scid=kb;en-us;254632
    >
    >
    > <mvanzwieten@gmail.com> wrote in message
    > news:1111727635.244788.150170@f14g2000cwb.googlegroups.com...
    >> Thank you very much Steve... I was wondering if you could answer this
    >> other question I had about certificates?
    >>
    >> Is there any way for me to request a user certificate on their behalf,
    >> and be able to physically send that certificate file to them via email?
    >> It seems to me like the only person that can physically handle this
    >> certificate would be the actual user themselves, needing to be logged
    >> in as this user in order to request and receive the certificate? You
    >> would think that as an admin, I could say "OK, let me select this
    >> user's certificate, and let me save it, so I can email it to them"...
    >> I'm not sure if this can be done, please let me know what you think?
    >>
    >> Thanks again,
    >> Mike
    >>
    >
    >
  6. Archived from groups: microsoft.public.win2000.security (More info?)

    Thanks very much for all your help, Steve. It sounds like for now, I'll
    need to either make a guide for users to renew their certificates
    themselves, or just grab one for them and email it over (more of a pain
    in the a$$).

    This is a rather good article that goes over certificates in Win2k3,
    and making them autoenroll... Someday we'll have that. :)
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/rmotevpn.mspx

    Thanks again,
    Mike
  7. Archived from groups: microsoft.public.win2000.security (More info?)

    OK. Sounds good. Yes autoenrollment will make your life much simpler. ---
    Steve


    <mvanzwieten@gmail.com> wrote in message
    news:1112044972.643448.129040@z14g2000cwz.googlegroups.com...
    > Thanks very much for all your help, Steve. It sounds like for now, I'll
    > need to either make a guide for users to renew their certificates
    > themselves, or just grab one for them and email it over (more of a pain
    > in the a$$).
    >
    > This is a rather good article that goes over certificates in Win2k3,
    > and making them autoenroll... Someday we'll have that. :)
    > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/rmotevpn.mspx
    >
    > Thanks again,
    > Mike
    >
Ask a new question

Read More

vpn Active Directory Windows