Certificate Renewal / Smart Cards

Discussion in 'Server Security' started by MC, Oct 19, 2004.

  1. MC

    MC Guest

    Hi,

    Windows Server 2003 Enterprise Edition Certification Authority
    Windows XP SP1 Clients

    What will happen if the smart card user certificates stored on smart cards
    are going to expire soon.
    Will the user get any popup message on his XP workstation?
    Will the certificate be renewed automatically?

    I'm using the default standard smart card user certificiate template.

    Thanks for answers
    MC
     
    MC, Oct 19, 2004
    #1
    1. Advertisements

  2. MC

    Miha Pihler Guest

    1. Advertisements

  3. MC

    MC Guest

    Auto enrollment is not configured.
    An Admin should enroll the smart card user certificate on behalf the user
    using a smart card enrollment station.

    The user should get a popup when the certificate is going to expire in x
    weeks. My primary question is, if the user can renew his smart card user
    certificate inclusive the private key by himself or must an admin to the
    renwal process on behalf the user.

    Thanks
    MC
     
    MC, Oct 19, 2004
    #3
  4. MC

    Miha Pihler Guest

    Hi,

    I am not sure if there is any easy way of doing what you are describing.

    What is possible is for client to request a certificate based on configured
    autoenrollment, but pend user request till e.g. certificate manager has
    checked and approved the issuance of certificate... This is described in
    article that I posted in my previous post (Certificate Autoenrollment in
    Windows Server 2003) under Advanced Features -> Requiring Certificate
    Manager Approval

    You can limit which users or groups may autoenroll for specific certificate
    template...

    Mike
     
    Miha Pihler, Oct 19, 2004
    #4
  5. microsoft.public.windows.server.security news group, Miha Pihler <mihap-
    > says...
    There is.

    1. Create a new certificate template for the smart card certificate
    renewal.
    2. Configure it to support autoenrollment.
    3. Supersede the initial smart card certificate.
    4. Require the renewal request to be signed with an existing smart card
    certificate.
     
    Paul Adare - MVP - Microsoft Virtual PC, Oct 19, 2004
    #5
  6. MC

    MC Guest

    Paul,
    Thanks for your answer.
    I think this is the way I can solve my problem.

    MC
     
    MC, Oct 20, 2004
    #6
  7. MC

    MC Guest

    I'm going to do the following steps:
    - Duplicate the original smart card user template
    - Configure the new template to allow renewal if a valid certificate exists
    - Supersede the original smart card user template
    - Issue the smart card user certificate to a user via an enrollment agent on
    a smart card enrollment station
    - Logon to a win xp workstation with the newly created smart card user
    certificate

    Must there exist a user GPO to allow automatic smart card user certificate
    renewal or does the win xp workstation trigger the auto-renewal process when
    the user's smart card user certificate is going to expire soon.

    My primary concern is, that I have to implement a smart card logon solution
    and I don't want to run into troubles when the first issued smart card user
    certificates are going to expire one year after implementation.


    Thanks
    MC
     
    MC, Oct 21, 2004
    #7
  8. MC

    PK Guest

    I think you also need to look in "Autoenrollment settings" in the policy
    /policies to enable autoenrollment. You find it in User Config, Windows
    settings, Security settings, Public Key Policies.

    -
    PK
    -

     
    PK, Oct 21, 2004
    #8
  9. MC

    MC Guest

    does the user must have the "enroll" and "autoenroll" permission to perform
    the renewal ?

    If yes, that wouldn't be fine, because only enrollment agents should be able
    to enroll for smart cards.
    Users should only be able to renew existing smart card user certificates
    including new private keys.

    MC


     
    MC, Oct 21, 2004
    #9
  10. MC

    PK Guest

    The user must have read, enroll and autoenroll access to the certificate
    template to autoenroll, but I think only read and enroll to renew a
    certificate.

    But beware:
    - autorenew needs DCOM (web enroll will not renew certs), and that can
    conflict with internal firewalls
    - if a smartcard certificate is also used for any encryption purposes, such
    as secure e-mail, you should now blow the private keys (or you will not be
    able to read any encrypted info (e.g. mail).

    -
    PK
    -
     
    PK, Oct 21, 2004
    #10
  11. MC

    PK Guest

    Oh, sorry - I must correct a typo:
    ....
    - if a smartcard certificate is also used for any encryption purposes, such
    as secure e-mail, you should NOT blow the private keys (or you will not be
    able to read any encrypted info (e.g. mail).
    ....

    "PK" <> skrev i meddelandet
    | The user must have read, enroll and autoenroll access to the certificate
    | template to autoenroll, but I think only read and enroll to renew a
    | certificate.
    |
    | But beware:
    | - autorenew needs DCOM (web enroll will not renew certs), and that can
    | conflict with internal firewalls
    | - if a smartcard certificate is also used for any encryption purposes,
    such
    | as secure e-mail, you should now blow the private keys (or you will not be
    | able to read any encrypted info (e.g. mail).
    |
    | -
    | PK
    | -
    |
    |
    | "MC" <> skrev i meddelandet
    | | > does the user must have the "enroll" and "autoenroll" permission to
    | perform
    | > the renewal ?
    | >
    | > If yes, that wouldn't be fine, because only enrollment agents should be
    | able
    | > to enroll for smart cards.
    | > Users should only be able to renew existing smart card user certificates
    | > including new private keys.
    | >
    | > MC
    | >
    | >
    | > | > > I think you also need to look in "Autoenrollment settings" in the
    policy
    | > > /policies to enable autoenrollment. You find it in User Config,
    Windows
    | > > settings, Security settings, Public Key Policies.
    | > >
    | > > -
    | > > PK
    | > > -
    | > >
    | > > "MC" <> skrev i meddelandet
    | > > | > > > I'm going to do the following steps:
    | > > > - Duplicate the original smart card user template
    | > > > - Configure the new template to allow renewal if a valid certificate
    | > > exists
    | > > > - Supersede the original smart card user template
    | > > > - Issue the smart card user certificate to a user via an enrollment
    | > agent
    | > > on
    | > > > a smart card enrollment station
    | > > > - Logon to a win xp workstation with the newly created smart card
    user
    | > > > certificate
    | > > >
    | > > > Must there exist a user GPO to allow automatic smart card user
    | > certificate
    | > > > renewal or does the win xp workstation trigger the auto-renewal
    | process
    | > > when
    | > > > the user's smart card user certificate is going to expire soon.
    | > > >
    | > > > My primary concern is, that I have to implement a smart card logon
    | > > solution
    | > > > and I don't want to run into troubles when the first issued smart
    card
    | > > user
    | > > > certificates are going to expire one year after implementation.
    | > > >
    | > > >
    | > > > Thanks
    | > > > MC
    | > > >
    | > > >
    | in
    | > > > message | > > > > In article <>, in the
    | > > > > microsoft.public.windows.server.security news group, Miha Pihler
    | > <mihap-
    | > > > > > says...
    | > > > >
    | > > > > > I am not sure if there is any easy way of doing what you are
    | > > describing.
    | > > > > >
    | > > > >
    | > > > > There is.
    | > > > >
    | > > > > 1. Create a new certificate template for the smart card
    certificate
    | > > > > renewal.
    | > > > > 2. Configure it to support autoenrollment.
    | > > > > 3. Supersede the initial smart card certificate.
    | > > > > 4. Require the renewal request to be signed with an existing smart
    | > card
    | > > > > certificate.
    | > > > >
    | > > > >
    | > > > > --
    | > > > > Paul Adare
    | > > > > This posting is provided "AS IS" with no warranties, and confers
    no
    | > > > > rights.
    | > > >
    | > > >
    | > >
    | > >
    | >
    | >
    |
    |
     
    PK, Oct 25, 2004
    #11
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.