Is it possible to provide certificates to industrial equipment that doesn’t have any enrollment capabilities?
That´s the challenge one of our customers gave us a couple of weeks ago. The certificates should be used for network access on an 802.1x network and authentication to a database. Me and my fantastic colleague Tomas accepted the challenge and went to work.
So we had to create a completely automatic enrollment process with as little user interaction as possible. Our goal was to provide the manufacturer with password protected pfx-files in a bulk with a password file, mapping the pfx-files to a randomly generated password for each pfx. First we started by doing a manual enrollment process.
Enrollment process – step by step
- The first step was to create an inf-file (request.inf) as input to the request file.
Subject = CN=Test123.trustmyroot.com
Exportable = True
KeyLength = 4096
KeySpec = 1 ; AT_KEYEXCHANGE
KeyUsage = 0xA0 ; Digital Signature, Key Encipherment
MachineKeySet = True ; The key belongs to the local computer account
ProviderName = “Microsoft RSA SChannel Cryptographic Provider”
ProviderType = 12
SMIME = False
- After that we used the inf-file together with certreq.exe to create a certificate request file.
Certreq.exe -new d:\request.inf d:\enroll\req\Test123.req
- The next step was to submit the request file to the CA and issue a certificate with certreq.exe.
Certreq.exe -submit -config “SRV001.trustmyroot.com\CA01” d:\enroll\req\Test123.req d:\enroll\cer\Test123.cer
- After that we imported the certificate to the certificate store on the local machine with certutil.exe
Certutil.exe -addstore -f MY d:\enroll\cer\Test123.cer
- Then we had to match the certificate to the private key so we would be able to export the pfx-file.
Certutil.exe -repairstore MY Test123.trustmyroot.com
- Next step was to export the pfx from the certificate store and set a password for the private key.
Certutil.exe -password 1q2w3e4r -exportPFX Test123.trustmyroot.com d:\enroll\pfx\Test123.pfx
- Then we deleted the certificate and private key from the local certificate store
certutil –privatekey –delstore MY Test123
After testing this process we gave it all to our brilliant colleague Simon, which created a powershell script with some parameters, a password generator and some other nice stuff.
After testing and handover to the customer they were extremely happy with the solution and it works perfect!
Certificate Rebind in IIS?
So what is it then? It´s a function to automaticlly replace an SSL certificate bound to a web site. If the certificate is renewed then the old one will be replace with the new one. Great isn´t it?
How does this work?
When you enable Certificate Rebind a task will be added to the Task Scheduler which is triggered by the event ID for certificate renewal (event ID 1001). And when a certificate is renewed a function called “Certificate Services Lifecycle Notifications”, which keeps track of certificate releated stuff, writes the renewal event to the event log and the rebind process starts. It simply provides appcmd.exe with the thumbprint of the expired and new certificate.
Then appcmd locates all websites on that server which uses the old cert. It unbinds the old cert and binds the new certs to the affected websites. And this works for both manually and autoenrolled certificates.
If you are really interested this is the command line:
appcmd.exe renew binding /oldcert:$(OldCertHash) /newcert:$(NewCertHash)
What triggers Event ID1001?
• Action (see sources column)
For old and new certificate:
• Subject names
• Renewal via autoenrollment (action=renew)
• Enrollment for a superseding (action=supersede)
• Renewal via MMC enrollment (action=renew)
• Renewal via certreq.exe (action=renew)
• Manually replacing on cert with another using Replace-Certificate PowerShell CmdLet (action=replace)
Note: If you want to use autoenrollment and the cert got a DNS name och SAN-attribute you have to enable “Use subject information from existing certificates for autoenrollment renewal requests” on the template.
Can this be done any other way and on other systems then IIS?
Sure! By using Powershell you can create custom tasks which is triggered by events created by “Certificate Services Lifecycle Notifications”
An excellent article on certificate rebind can be found here:
How to renew web server certificates automatically?
Certificate Services Lifecycle Notifications
But be aware! There are some pitfals and you should have some kind of idea about what you are doing! And remember: Keep it simple!!