[Today’s post is brought to you by Carol Bailey]
Have you tried to renew the existing site server signing certificate for a native mode site, and wondered how to do this without creating a new certificate? This post provides a procedure to do this that is suitable for when the site server is on either Windows Server 2003 or Windows Server 2008, and your PKI uses Microsoft Certificate Services.
Disclaimer: This procedure is external to Configuration Manager, so you will not find this information in the Configuration Manager product documentation. However, we realize that PKI is often new to Configuration Manager admins, and aim to share our knowledge and experience to help you be more successful with the product.
You can use the same procedure to renew any certificate that’s deployed through Certificate Services, but Group Policy auto-enrollment usually takes care of client certificate renewal automatically. And the IIS site system certificates for server authentication can be easily renewed from the Certificates MMC, by right-clicking on the certificate and selecting All Tasks, and then either Renew Certificate with New Key (recommended), or Renew Certificate with Same Key.
However, there are 2 challenges for renewing the site server signing certificate:
- The Certificates MMC on Windows Server 2003 does not let you specify the Subject value, so you cannot renew the certificate with a new site code.
- The Certificates MMC is not designed for certificate templates that are configured for manual approval.
A note here about manual approval and why changing this to automatic approval in order to workaround the Certificates MMC design is not recommended. Manual approval is recommended for the site server signing certificate because it is a “high value” certificate. It’s high value because it represents the key to the kingdom – your Configuration Manager hierarchy. In comparison with the other certificates, if this certificate is compromised (requested by a compromised or rogue site server), the whole integrity of the hierarchy is in jeopardy. One of the main differences between mixed mode and native mode (in addition to using PKI certificates instead of self-signed certificates) is that policy is signed by both the site server and the management point. Even if the management point is compromised, clients are protected by checking this extra signature on their policies. Policy that is fabricated on a compromised management point, even if the management point has a valid certificate, will be rejected by clients because the policy won’t be signed by the site server signing certificate.
You can use this same procedure to renew any certificate that’s deployed with Certificate Services. However, Group Policy auto-enrollment usually takes very efficient care of certificate renewal automatically. And the IIS site system certificates for server authentication can be easily renewed from the Certificates MMC, by right-clicking on them and selecting All Tasks, and then either Renew Certificate with New Key (recommended), or Renew Certificate with Same Key.
How to Use CertReq to Renew the Site Server Signing Certificate
To adhere to the security best practice of manual approval for this particular certificate, renew the certificate by using the CertReq command line tool, and the certificate serial number. To find the certificate serial number, double-click the certificate from the Certificates MMC, click the Details tab, and then note the value for Serial number. When you specify the serial number with the command-line tools, you must remove the spaces in the string.
You will need to specify this number in the .inf file that you use with CertReq.exe, in the [NewRequest] section and with the option RenewalCert. You will also need to specify MachineKeySet = True, or the renewal will actually create a new certificate in the User store rather than renewing the existing certificate in the Computer store.
This means that your .inf text file will look similar to this:
MachineKeySet = True
It’s as simple as that. Then run through the standard CertReq commands for requesting, retrieving, and installing the certificate. If you need step-by-step instructions because you’re not familiar with CertReq, use the Windows Server 2008 CA step-by-step, section Deploying the Site Server Signing Certificate – only use the .inf file contents above instead of the .inf contents in the step-by-step. However, if you need only a quick reminder (and I often do!):
Certreq – new sitesigning.inf sitesigning.req
- Certreq – submit sitesigning.req sitesigning.cer (select CA when prompted and note request ID number).
- Check and issue the pending certificate request from the CA.
- Certreq -retrieve <ID_number> sitesigning.cer (select CA when prompted)
- Certreq -accept sitesigning.cer
In the Certificates MMC, view the certificate details again and the Valid from and Valid to values should now be updated.
Want to renew the certificate but with a new site code? Add the Subject option to the .inf file, so that it looks similar to this before requesting the certificate:
Subject=”CN = The site code of this site server is BCD”
MachineKeySet = True
Want to renew the certificate with an existing key set? Use my previous post to find the long string of numbers for the certificate’s key container, using the Certutil command. Then specify this string in the .inf file with the KeyContainer option, along with UseExistingKeySet = Yes so that it looks similar to this before requesting the certificate:
RenewalCert = 237f66a4000000000011
UseExistingKeySet = True
MachineKeySet = True
Want to renew the certificate when it’s expired? You’re out of luck. The CA will reject the request to renew an expired certificate and you will see a message similar to “Error Verifying Request Signature or Signing Certificate. A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495).” This message is also displayed in the Failed Requests node of the issuing CA. When the certificate has already expired, you must request a new certificate instead of renewing the existing certificate.
Using the Renewed Certificate with Configuration Manager
Even though you’ve renewed the existing certificate rather than replaced it, it still has a new serial number and a new certificate thumbprint. This means that you must still specify the renewed site server signing certificate in the site properties, Site Mode tab. When you’ve done the hard work of renewing the certificate, don’t forget this last piece of the renewal process! Remember to do it at a quiet time when it’s OK that all the policies will be resigned. Only if the certificate chains to a root CA certificate with a different key pair will you have to take additional configuration steps for the clients. Otherwise, you’re good to go.
For more information about configuring the Configuration Manager site for a new site server signing certificate, see Renewing or Changing the Site Server Signing Certificate.
This posting is provided “AS IS” with no warranties, and confers no rights.