Announcement

Collapse
No announcement yet.

CA server question - machine certificate renewal

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • CA server question - machine certificate renewal

    Hi everyone -

    I'm hoping you folks can help me find an easy way to renew machine certificates manually.

    I have a scenario in which a few hundred machine certificates all expire on the same date (the date that the CA server cert itself had been due to expire)
    Many of these certs are used to validate a VPN connection from the client laptop,
    so I'm afraid that the usual automatic renewal of the certificate won't work for that laptop,
    since the VPN won't authenticate and the laptop will then NOT be able to reach the DC to autorenew it's certificate when it expires.


    Therefore, what I want to provide for our Tier 1 support staff is a
    very simple command line or script, perhaps utilizing certutil.exe
    to renew a machine cert when they get a laptop in for service.

    I've looked at the options for certutil.exe and looked at the certs that are on a machine, and I can't figure out a commandline set of switches to pass to certutil.exe to simply renew the local machine certificate and nothing more.

    Can anyone help with a simple set of switches or script to manually force the renewal the local machine certificate?

    thanks

  • #2
    Re: CA server question - machine certificate renewal

    I believe you want to use certreq.exe, not certutil

    CertReq -Enroll -cert CertId [Options] Renew [ReuseKeys]

    http://technet.microsoft.com/en-us/l...=ws.10%29.aspx
    Rules of life:
    1. Never do anything that requires thinking after 2:30 PM
    2. Simplicity is godliness
    3. Scale with extreme prejudice


    I occasionally post using a savantphone, so please don't laugh too hard at the typos...

    Comment


    • #3
      Re: CA server question - machine certificate renewal

      arghh...

      how did I miss that!

      That earns me some d'oh points!

      Thanks!

      Comment


      • #4
        Re: CA server question - machine certificate renewal

        Well let us know if it solves your dilemma!
        Rules of life:
        1. Never do anything that requires thinking after 2:30 PM
        2. Simplicity is godliness
        3. Scale with extreme prejudice


        I occasionally post using a savantphone, so please don't laugh too hard at the typos...

        Comment


        • #5
          Re: CA server question - machine certificate renewal

          Well, not quite yet

          Reading the required syntax, it would appear that I need to do this at the command line:

          c:\CertReq -Enroll -cert <the-mach-cert-serial> [Options] Renew [ReuseKeys]

          So I need to locate (from command line) the serial number of the machine certificate issued from the domain Root CA server.

          But when I run the command
          certutil -store
          or
          certutil -store -user
          all I see are the Trusted Root certificates.
          I don't see the certificates issued to the local computer.



          I found this article from some years ago, but the author does not describe how he was obtaining that local machine certificate's serial number in order to renew it.
          http://social.technet.microsoft.com/...icate-silently

          Seems like in order to automatically renew a machine certificate silently in the background, or with no arcane input required by a Tier 1 helpdesk person,

          my script would have to:
          - locate the hostname/NETBios name/computername of the workstation the script is running on
          - run certutil.exe with some unknown set of options to pull out the local machine cert
          - parse until the local machine certificate is found, and then parse out the serial number

          And finally, execute certreq.exe with that serial number in order to renew


          Is that correct, or is there a tool or command line option I'm unaware
          of which already does all that?

          Comment

          Working...
          X