Windows Certificate Management (SSL)

This is an effort to avoid some of the problems with Certificate Management, especially as they relate to SSL and Secure LDAP. I will update this as I find out more information.


Certificate Authority – The Server that is generating Certificates. This could be an internal Certificate Authority (generally Microsoft) or an external firm such as VeriSign (the largest CA vendor)
SSL – Secure Socket Layer
TLS – Microsoft’s implementation of SSL, embraced and extended.

A microsoft certificateFrom your Domain Controller start MMC –

add “Certificates” snap-in
select “computer account.” You have a choice of “my User Account”, “Service Account” or “Computer Account.” We are setting this up for the computer.
“Local Computer”

Find your Certificates in the Console

Select “Trusted Root Certification Authorities.” Underneath “Certificates” you will find many certificates (232-ish on a default install.) One of those will be the certificate (Production Root CA) that allows you to trust the CA that generates the certificates for you.

Select “Personal.” Underneath “Certificates” you should find very few certificates. If you click the one issues by your CA, you can see who it is issued to, who it is issued by and, most importantly, the dates this certificate is valid.

If you are dealing with Windows 2003 Domain Controller and a Windows CA set up to auto generate Certificates, about two weeks before your certificate expires, the Domain Controller will request a new certificate – if you use autoenrollement. However, the DC cannot use this certificate until it reboots. What this really means is that you have to reboot your DC within two weeks of your certificate expiring or it will stop answering SSL traffic.

Outstanding Questions

How do you set up your DC to look to the CA? Is it as simple as adding the certificate to “Trusted Root Certificate Authorities?”
Can you expand the window in which your DC downloads a new certificate?
Can you force an on-demand download of a new certificate?

More information can be found HERE