How to renew a Windows Server Certificate Authority TLS certificate

Case

You have issued a TLS certificate by utilizing a Windows Server Certificate Authority (CA) template. You need to either manually or automatically renew the issued certificate before it expires.

Solution

Manually

  • You can use the Microsoft Management Console (MMC) certificates snap-in (computer store). You should right-click the expiring certificate and choose “All Tasks –> Renew certificate with new key”.
  • You need to ensure that the Windows Server CA template corresponding to your certificate (usually the Computer template or the Web Server template) have “enroll” permissions configured for the Active Directory computer object of the server from which you are attempting to renew the certificate inside the computer management MMC.
  • To configure the above permission, open the Windows CA management console by navigating to the CA machine and running the certsrv.msc command.
  • Then expand the certification authority node, right-click on the “Certificate Templates” node and click “Manage”.
  • Right-click the certificate template in question and choose “Properties”. In the “Security” tab, add the AD computer object from which you are attempting to renew the certificate and assign “Enroll” permissions to it.
  • You can revert the changes, i.e remove the permissions to the AD computer object after the certificate has been renewed.

Automatically

To allow for automatic certificate renewal, you will need to configure a certificate auto-enrollment policy by Active Directory GPO. Step-by-step instructions on how to create the GPO for certificate auto-enrollment can be found at: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.

Was this article helpful?

Related Articles