Certificates on the rebound

When Christopher Bullock wrote about the certainties in life in his book The Political History of the Devil, he probably should have added a 3rd certainty…that your certificates WILL expire and you’ll have to renew them. I think we can forgive that, as he wrote the book in 1726 and websites weren’t as popular as they are today. However, the topic of certificate renewal is one that certainly plagues the nightmares of every seasoned system administrator.

Ultimately, if you’re an efficient fellow, you can try to have all your certificate expire around the same date, or set reminders in Outlook to remind you about the upcoming expiration, but in reality, it’s the sort of things that tend to get missed even by the most experienced engineers. Even if you do get it right, or have your certificates automatically renew, there’s still the issue of certificate rebind. When an IIS site is configured for a certificate, it has to be re-bound when the certificate is renewed, and if you don’t perform this (by going to the site binding dialog, and selecting the new certificate from the certificate drop-down), you ARE going to get some nasty phone calls.

To make things easier, Microsoft has implemented a new helper mechanism in windows called Certificate Services Lifecycle Notifications. This mechanism is part of Windows 8 and Windows 2012, and it creates system events when certain certificate-related things happen. For example, when a certificate is about to expire (a day before expiration), an event with ID 1003 will be logged under /Applications and Services Logs/Microsoft/Windows/CertificateServicesClient-Lifecycle-System or /Applications and Services Logs/Microsoft/Windows/CertificateServicesClient-Lifecycle-User:

clip_image002

The details pane will show more info, such as the certificate’s subject name and thumbprint:

clip_image004

Other events that might be recorded as part of this mechanism are:

1. New certificate has been installed

2. Certificate has been renewed or replaced

3. Certificate has expired

4. Certificate has been deleted

5. Certificate has been archived

6. Certificate has been exported

Because these events are now logged, administrators can make use of them to help them take care of the other aspects of certificate management. For example, you can use Task Manager to trigger a task when one of these events occur, and the task can do whatever you need it to do, from a simple pop-up notification to the administrator all the way to complex code or scripts that can cure cancer on-queue. The following wiki article by Kurt Hudson details this mechanism and some of the things you can do with it:

https://social.technet.microsoft.com/wiki/contents/articles/14250.certificate-services-lifecycle-notifications.aspx

To take this a step further, the IIS team has implemented some new functionality in IIS 8.5, which is part of the upcoming Windows 2012 R2 release. This functionality is designed to take advantage of the same notification mechanism and automatically re-bind a certificate that has been renewed.

To make this happen, IIS can automatically register a task in the system’s Task Scheduler, and the task is keyed to trigger upon a certificate-renewal event (event ID 1001). When such an event happens (either when the administrator has manually renewed the certificate, or if it renews with Auto-enrollment), the scheduled task runs IIS’s command-line based tool APPCMD, and gives it the thumbprint of the old (expired) certificate and the thumbprint of the new one. Using these two parameters, APPCMD locates the websites which are bound to the old certificate and rebinds them to the new one.

As far as the user-interface goes, the IIS console now offers the following option, which allows the administrator to enable or disable this functionality:

clip_image006

The tasks created by this mechanism in Task Scheduler can be viewed by opening up Task Scheduler, and navigating to /Microsoft/Windows/CertificateServicesClient, and as you can see, it shows the parameters sent to APPCMD:

clip_image008

If you disable this function in IIS Manager, the task is deleted. This is a good opportunity to note that fiddling with the settings in this task or deleting it manually is not supported, and could have unpredictable results, so don’t do it.

With this feature, the process of certificate renewal can finally be put in the “fugget about it” pile. Simply setup your certificates to automatically renew with Autoenrollment, enable this feature on your IIS servers and go back to reading The Political History of the Devil.