How can I do an offline certificate renewal?
Philip Colmer
the computer was last in one of our offices. Those certificates have now
expired and I've been trying to find a way of getting them renewed.
I've got the user to try to renew them through the Certificates MMC, whilst
connected with a VPN to the network where the CA is, but the system says
that "The wizard cannot be started because it failed to contact the active
directory".
Is there a recommended process for performing offline renewals ...
preferably with the minimum of user interaction?
--Philip
Alex Radutskiy [MSFT]
no rights.
Philip,
Have you taken a look at the “Advanced Certificate Enrollment” white paper
at
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx?
Specifically check out the RenewalCert and ExistingKeySet settings for the
certreq.exe *.inf file. If you’ve read the paper already and still have some
questions, please respond to this thread.
Thank you,
Alex Radutskiy [MSFT]
Philip Colmer
"Alex Radutskiy [MSFT]" <AlexRadu...@discussions.microsoft.com> wrote
in message news:F5343C36-757C-46BD...@microsoft.com...
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers
> no rights.
>
> Philip,
>
> Have you taken a look at the "Advanced Certificate Enrollment" white paper
> at
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx?
> Specifically check out the RenewalCert and ExistingKeySet settings for the
> certreq.exe *.inf file. If you've read the paper already and still have
> some
> questions, please respond to this thread.
That is certainly a comprehensive white paper!
However, I'm a bit unhappy that there seems to be so much user intervention.
For example:
"If you need to renew a certificate that exists on the system where the
certificate request is generated, you must specify its certificate hash as
the value for this key. If you do not know the certificate hash, use the
Certificates MMC Snap-In and look at the certificate that should be renewed.
Open the certificate properties and see the "Thumbprint" attribute of the
certificate. Certificate renewal requires either a PKCS#7 or a CMC request
format."
So if I need to renew a certificate, I need the certificate hash AND that
has to be recorded in the *.inf file ... so it looks like I've got to find a
way of dynamically writing the inf file based on what is already installed
on the user's computer.
In addition, the white paper says "You can only renew certificates that are
time valid. Expired certificates cannot be renewed and must be replaced with
a new certificate.". Is that what happens if you try to renew an expired
certificate ONLINE using the MMC? I've certainly done that but I wasn't
aware that it actually ended up requesting a new certificate.
I realise that Certificate Lifecycle Manager is on its way, but the tools
for managing certificates offline seem to be lacking in the meantime. My
end-users are not the brightest bunch and I'm not sure I have the coding
skills to interrogate the certificate stores & write a dynamic inf file.
--Philip
Alex Radutskiy [MSFT]
no rights.
"Philip Colmer" wrote:
> So if I need to renew a certificate, I need the certificate hash AND that
> has to be recorded in the *.inf file ... so it looks like I've got to find a
> way of dynamically writing the inf file based on what is already installed
> on the user's computer.
This can be done programmatically. You can either use Win32 APIs, CAPICOM,
or .Net x509Certificate2 class to obtain the hash. Check out MSDN for
details.
>
> In addition, the white paper says "You can only renew certificates that are
> time valid. Expired certificates cannot be renewed and must be replaced with
> a new certificate.". Is that what happens if you try to renew an expired
> certificate ONLINE using the MMC? I've certainly done that but I wasn't
> aware that it actually ended up requesting a new certificate.
Lets get a clear definition of the “renewal” versus “request” first. Renewal
implies that you still have a valid cert. The scenario for renewal is when
you have a certificate template that is configured to require someone’s
approval, BUT renewals are allowed. Meaning that only the first cert needs to
be approved and after that as long as the user has a valid cert they can get
new certs (it doesn’t have to be the same key) without manager’s approval. So
for the cases where the old cert is not required by the CA the renewal and
request are pretty much the same thing.
Philip Colmer
> "Philip Colmer" wrote:
>
>> So if I need to renew a certificate, I need the certificate hash AND that
>> has to be recorded in the *.inf file ... so it looks like I've got to
>> find a
>> way of dynamically writing the inf file based on what is already
>> installed
>> on the user's computer.
>
> This can be done programmatically. You can either use Win32 APIs, CAPICOM,
> or .Net x509Certificate2 class to obtain the hash. Check out MSDN for
> details.
I'm wading through SDK text at the moment but I could do with something to
pull it all together. For example, are there best practices for coding with
the .Net classes? For example, if I wanted to search a store to see if a
particular certificate is present, what is the best way of looking for that
cert without running the risk of matching a spoofed cert?
--Philip
Alex Radutskiy [MSFT]
no rights.
"Philip Colmer" wrote:
>
> I'm wading through SDK text at the moment but I could do with something to
> pull it all together. For example, are there best practices for coding with
> the .Net classes? For example, if I wanted to search a store to see if a
> particular certificate is present, what is the best way of looking for that
> cert without running the risk of matching a spoofed cert?
>
For the .Net classes take a look at
http://msdn2.microsoft.com/en-us/library/ztkw6e67.aspx, specifically
X509Store and X509Certificate2. There is a lot of sample code there as
well.
Philip Colmer
This is where I've been focussing my attention. Although there are some
samples, because this is documentation aimed at the actual classes, there
isn't an over-arching document that shows how it hangs together. The end
result is that I'm having to work my way through each and every method,
property and member to see if I can find what I need to do the job. That is
not a very productive way of working.
Surely there ought to be some higher level documentation for developers that
actually explains best practice, how it all hangs together, etc? If there is
a book that covers this stuff, please recommend it. If there is anything
online, please suggest how I can find it.
Regards
Philip
Philip Colmer
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers
> no rights.
>
> Philip,
>
> Have you taken a look at the "Advanced Certificate Enrollment" white paper
> at
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx?
> Specifically check out the RenewalCert and ExistingKeySet settings for the
> certreq.exe *.inf file. If you've read the paper already and still have
> some
> questions, please respond to this thread.
Alex
I'm trying to understand what needs to go into the *.inf file, both to renew
an existing certificate and to request a new certificate. I've read through
the paper you suggested but I'm getting an error when I use certreq with my
INF file.
The error is "Keyset does not exist 0x80090016". This occurs after I have
selected a certificate in the window that pops up.
There is an associated question with this: my INF file specifies the
thumbprint of the certificate to renew and yet the system pops up a
certificate picker. I would have expected the system to have already known
which cert I want, or does that behaviour suggest that there is a problem
with my INF file?
[Version]
Signature = "$Windows NT$"
[NewRequest]
KeyContainer={obtained from output of "certutil -store -user my"}
RenewalCert=thumbprint from the certificate
UseExistingKeySet = TRUE
[RequestAttributes]
CertificateTemplate = template from the certificate
Your assistance is appreciated.
--Philip
