How will you enable auto enrollment for the issuance of certificates that supersedes the issued certificates?
|
Use the auto-re-enrollment statement to configure automatic reenrollment of a specified existing router certificate before its existing expiration date. This function automatically reenrolls the router certificate. The reenrollment process requests the certificate authority (CA) to issue a new router certificate with a new expiration date. The date of auto-reenrollment is determined by the following parameters: Show
Note: By default, this feature is not enabled unless configured explicitly. This means that a certificate that does not have auto-reenrollment configured will expire on its normal expiration date. The ca-profile statement specifies which CA will be contacted to reenroll the expiring certificate. This is the CA that issued the original router certificate. The challenge-password statement provides the issuing CA with the router certificate’s password, as set by the administrator and normally obtained from the SCEP enrollment Web page of the CA. The password is 16 characters in length. Optionally, the router certificate key pair can be regenerated by using the re-generate-keypair statement. To configure automatic reenrollment properties, include the following statements at the [edit security pki] hierarchy level: percentage is the percentage for the reenroll trigger time. The range can be from 1 through 99 percent. days is the number of days for the validity period. The range can be from 1 through 4095. Tasks to configure automatic reenrollment of certificates are: Specify the Certificate IDUse the certificate-id statement to specify the name of the router certificate to configure for auto-reenrollment. To specify the certificate ID, include the statement at the [edit security pki auto-re-enrollment] hierarchy level: [edit security pki auto-re-enrollment] certificate-id certificate-name;Specify the CA ProfileUse the ca-profile statement to specify the name of the CA profile from the router certificate previously specified by certificate ID. To specify the CA profile, include the statement at the [edit security pki auto-re-enrollment certificate-id certificate-name] hierarchy level: [edit security pki auto-re-enrollment certificate-id certificate-name] ca-profile ca-profile-name;Note: The referenced ca-profile must have an enrollment URL configured at the [edit security pki ca-profile ca-profile-name enrollment url] hierarchy level. Specify the Challenge PasswordThe challenge password is used by the CA specified by the PKI certificate ID for reenrollment and revocation. To specify the challenge password, include the following statement at the [edit security pki auto-re-enrollment certificate-id certificate-name] hierarchy level: [edit security pki auto-re-enrollment certificate-id certificate-name] challenge-password password;Specify the Reenroll Trigger TimeUse the re-enroll-trigger-time statement to set the percentage of the validity period before expiration at which reenrollment occurs. To specify the reenroll trigger time, include the following statement at the [edit security pki auto-re-enrollment certificate-id certificate-name] hierarchy level: [edit security pki auto-re-enrollment certificate-id certificate-name] re-enroll-trigger-time percentage;percentage is the percentage for the reenroll trigger time. The range can be from 1 through 99 percent. Specify the Regenerate Key PairWhen a regenerate key pair is configured, a new key pair is generated during reenrollment. On successful reenrollment, a new key pair and new certificate replace the old certificate and key pair. To generate a new key pair, include the following statement at the [edit security pki auto-re-enrollment certificate-id certificate-name] hierarchy level: [edit security pki auto-re-enrollment certificate-id certificate-name] re-generate-keypair;Specify the Validity PeriodThe validity-period statement specifies the router certificate validity period, in number of days, that the specified router certificate remains valid. To specify the validity period, include the statement at the [edit security pki auto-re-enrollment certificate-id certificate-name] hierarchy level: [edit security pki auto-re-enrollment certificate-id certificate-name] validity-period days;days is the number of days for the validity period. The range can be from 1 through 4095. How do I enable autoGo to User Configuration > Windows Settings > Security Settings > Public Key Policies and then under Object Type section in the right pane, select Certificate Services Client - Auto-Enrollment.
How does certificate autoThis one allows users to enroll for certificates with no user intervention needed (well, in most cases, that is). Long story short, Microsoft certificate auto-enrollment automates the whole process and allows certificates to be automatically renewed and updated.
How do I enable certificate authority?In Select Server Roles, in Roles, select Active Directory Certificate Services. When you are prompted to add required features, click Add Features, and then click Next. In Select features, click Next. In Active Directory Certificate Services, read the provided information, and then click Next.
What is a certificate enrollment process?A typical certificate enrollment process involves the requester generating a key pair (one public, and one private key), sending only the public key to a CA along with a CSR (Certificate Signing Request), and then receiving a CA-signed public key and a TLS certificate which they can then install on an endpoint.
|
