One of the best ways for a company to keep their security robust is taking advantage of certificates for their network environment. Certificates utilize public-private key encryption to encrypt information sent securely over-the-air .
While certificates offer numerous advantages, improper certificate management can lead to unforeseen lapses in security. It’s important to be aware of proper practices for certificate management, as a security breach can have dire consequences for any organizations.
One important process to be aware of is certificate renewal. The certificate lifecycle ends with revocation, where a certificate is either revoked or expires. A certificate renewal interface drastically reduces the time required to garner a new certificate by reusing part of the configuration of an expiring certificate.
You might think that it would be hard for a certificate to expire unnoticed, but some major organizations such as LinkedIn, Cisco, The White House, Pokémon Go and The UK Conservative Party have all had issues due to certificate expiry.
The truth is that if these organizations had taken advantage of simple processes for certificate renewal they would have eliminated the risks for security lapses. In this article we’ll talk about how to renew certificates in a Microsoft environment and alternative methods that may work better for your organization.
How To Renew Certificates Generally
The exact method for certificate renewal will vary depending on the provider you have and the operating system you are using. Generally, it can be summarized in four steps:
- Generate a new CSR (Certificate Service Request)
- Your vendor will provide you with a CSR code, which looks like this:
- NOTE: Keep this code handy because you’ll need it to re-activate your certificate.
- NOTE: Keep this code handy because you’ll need it to re-activate your certificate.
- Your vendor will provide you with a CSR code, which looks like this:
- Activate your certificate by providing the encoded CSR code.
- Validate your certificate through:
- Email validation
- HTTP validation
- DNS validation
- Install your certificate on to your device
- This varies in difficulty depending on your vendor and OS
If you are just renewing one certificate, doing things manually may be the easiest way to go. However, renewing certificates manually is not a good option for larger organizations. Think about having to perform each one of these steps for each device in a company with a large variation in operating systems. For most, it’s simply not a viable solution.
Renewing Certificates With Microsoft AD CS
One of the best solutions to counteract unknown expired certificates is to automate the process. Certificate auto-enrollment was first introduced in Windows 2000 and was greatly enhanced over time by adding new features and usage scenarios. Windows 10 and Windows Server 2016 support the capability to automatically renew expired certificates for users and devices for AD environments.
Microsoft provides certificate auto-enrollment that can be configured with GPO. This allows devices to automatically enroll for a new certificate when the current one is about to expire. In order for this to work, you need to configure an auto-enrollment policy and certificate templates. Templates need to be set with the correct permissions, such as “Read and Enroll,” for this to work. Remember to use security groups if you are granting template permissions. Once the templates have been configured, add them to your Enterprise CA so auto-enrollment can begin.
Unfortunately the auto-enrollment process can only be done with GPO and AD CS certificate templates. If you have any non-AD devices or MDMs, SecureW2’s software can integrate with any MDM (Jamf, Airwatch, Mobile Iron, etc.) and push out renewal policies.
Renewing Certificates With SecureW2
Microsoft CA’s use templates for certificate validity and the 2000 and 2003 servers don’t allow validity template modification.
With SecureW2, certificate templates can be configured so certificates stay valid for any number of years. A practical example could be for a university where you could easily set up group policies so when users enroll for a certificate, your system automatically issues 4 year certificates to students and 8 year certificates to faculty and staff.
Expiry Notifications For BYODs
Sending out automated certificate expiration notifications is critical to maintaining a secure network. You may recall the Experian Data Breach that occurred in 2017 where one of the main factors for the beach was a certificate that expired without anyone noticing.
We recommend all our customers take advantage of our automated certificate expiration notification emails. When you generate a CA with SecureW2, you can select when and how often end users will be notified when their certificates are about to be expired. The screen above shows the interval options (shown in days) that are available. SecureW2 will automatically email end users when a certificate expires and will instruct them on how to re-enroll.
Auto-Enroll Managed Devices With SecureW2
SecureW2 takes advantage of SCEP (Simple Certificate Enrollment Protocol) that can simplify the enrollment process so you can enroll any device for a certificate without any user interactions necessary.
SCEP uses a URL and a shared secret with the certificate authority to communicate with a PKI. Mobile Device Management (MDM) software commonly uses SCEP for devices by pushing a payload containing the SCEP URL and shared secret to managed devices.
The SecureW2 Management Portal has the necessary components to deploy a SCEP Gateway with any major MDM in less than an hour. With SCEP you can easily configure enrollment policies that can auto-renew certificates for managed devices as soon as they expire. This takes away any chance of forgetting an expired certificate, and with our GUI, you can monitor all your active certificates to ensure nothing falls between the gaps.
Use SecureW2 to Efficiently Manage Certificates
Configuring your certificate management system is of the utmost importance for properly securing your network.
SecureW2 offers an affordable and easy solution for managing your entire PKI, allowing organizations to rely on an efficiently automated system and minimizing human error wherever possible. We can easily integrate with a Microsoft environment to make sure you’re getting the most out of your Active Directory. Check out our pricing page to see how SecureW2 can help you and your organization.
