How to verify the Enterprise CA Root Certificate
On the server hosting the Enterprise CA:
1. Load the Certificates MMC and then target it at the computer account (Start run, MMC, File Add/Remove Snap-in, Add, Certificates, Add, Computer Account, Next, Finish, Close, OK)
2. Expand the Certificates (Local Computer) and then the Trusted Root Certification Authorities subfolder, then the Certificates folder.
3. Locate the CA Root Certificate and verify the Expiration date.
How to renew the Enterprise CA Root Certificate
On the server hosting the Enterprise CA:
1. Load the Certification Authority Tool (Start, Administrative Tools, Certification Authority)
2. Under 'Certification Authority (local), right-click the CA and choose All Tasks and then Renew CA Certificate ...
3. Follow the wizard to renew the CA certificate.
Verify that the Autoenrollment Policy is configured on the Enterprise CA
Before renewing or reissuing client authentication certificates on a DC server, you need to verify that autoenrollment is correctly configured. On the server hosting the Enterprise CA:
1. Load the certificate template MMC
2. (Start run, MMC, File Add/Remove Snap-in, Add, Certificates Templates, Add, Close, OK)
3. Find the Domain Controller Authentication template and double click
4. Select the Security TAB
5. find the domain Controllers entry and make sure Enroll and Autoenroll is checked in the permissions
6. Click OK.
Steps to Renew a soon-to-expire certificate
On the DC server:
1. Load the Certificates MMC and then target it at the computer account (Start run, MMC, File Add/Remove Snap-in, Add, Certificates, Add, Computer Account, Next, Finish, Close, OK)
2. Expand the Certificates (Local Computer) and then the Personal subfolder, then the Certificates folder.
3. Locate the Client Authentication certificate for the Domain Controller and verify the Expiration date.
4. If the certificate has not expired, right-click the certificate, choose All Tasks and then Renew Certificate with Same Key ...
5. Complete the wizard.
6. Run a GPUPDATE /FORCE to force autoenrollment to issue a replacement of the existing certificate.
Steps to Replace an expired certificate
On the DC server:
1. Load the Certificates MMC and then target it at the computer account (Start run, MMC, File Add/Remove Snap-in, Add, Certificates, Add, Computer Account, Next, Finish, Close, OK)
2. Expand the Certificates (Local Computer) and then the Personal subfolder, then the Certificates folder.
3. Locate the Client Authentication certificate for the Domain Controller and verify the Expiration date.
4. If the certificate has expired, right-click the certificate, choose All Tasks and then Request Certificate with Same Key ...
5. Complete the wizard.
6. Run a GPUPDATE /FORCE or reboot the DC server to force autoenrollment to replace the expired certificate.
7. Verify that a replacement certificate has been issued to the DC server in the Certificates folder (step 2).
8. If a replacement certificate was not issued, delete the expired certificate and rerun a a GPUPDATE /FORCE.
Renewing an IIS 5 or IIS 6 SSL Certificate
1. Open the Internet Information Services (IIS) Manager. From the Start button select Programs > Administrative Tools > Internet Information Services Manager.
2. In IIS Manager, double-click the local computer, and then double-click the Web Sites folder.
3. Right-click the Web site for which you want to renew the SSL certificate on (ususally the Default web site), and then click Properties.
4. On the Directory Security tab, under Secure communications, click Server Certificate.
5. Click Next in the Welcome to the Web Server Certificate Wizard window.
6. Select Renew the current certificate, Click Next. Note that doing this will not affect your current live certificate. It will continue to work as before.
7. Select Prepare the request now, but send it later.
8. Enter a path and file name for the certificate request file (CSR). The path you provide is where the IIS wizard will save the CSR as a text file. The default path will be c:\certreq.txt . You'll need to be able to find and open this file in a text editor, such as Notepad.
9. Verify the contents of your request and then click Next.
10. At the Completing the Web Server screen, select Finish.
11. Now open a text editor such as Notepad and open the CSR file you just created at c:\certreq.txt (your path/filename may be different).
12. Copy the certificate into a text editor such as Notepad and save as yourdomain.cer on your desktop.
13. Return to the Directory Security tab of your site and click Server Certificate and select Process the pending request and install the certificate. Click Next.
14. Locate the yourdomain.cer file when prompted to locate your web server certificate. Click Next.
15. Review the summary screen and ensure that you are processing the correct certificate (check the expiration date). Click Next.
16. Click Next and then Finish on the confirmation screen. Your SSL certificate has now been renewed.
沒有留言:
張貼留言