Category Archives: Certification Authority

Create 10 years Certificate template for Skype for Business, Exchange Server .etc

Having a certificate template that would last for years is a requirements that’s become more of a need during these days due to the amount of time it takes to renew the servers which are certificate dependent.

Some servers would automatically be renewed their Certificate using GPO’s auto enrollment however when this doesn’t work or if you don’t like dealing with GPO and its headache then the best way to solve this is to create a template that would last for sometime and leave you at peace.

Note that having a long term certificate (10 years for example) is not a good practice since encryption algorithm changes over the time and security related issues rise up every now and then so if you decided to go with this article and create 10 years template for your servers, you will need to keep an eye on latest news related to certificates, encryption and signature algorithm so they are not exploitable.

To begin with this article, I will tell a small story of a company that had suffered production disasters due to this might look tiny kind of problem.

A company called AP have deployed Lync 2013 (Currently Skype for Business) and decided to use the default CA (Webserver) template which lasts for 2 years by default.

This company called me when their Lync servers were all down and PSTN calls were not going through so the first thing that came to my mind is to check Services and as soon as I saw services were not able to run I checked the eventlog’s Lync tab.

The errors were mostly referring to an expired certificate. upon renewing the certificates for all servers everything went back to normal but that took long downtime and delayed the company’s productivity.

Here came the idea of creating a long template which would last for 10 years, achieving this on Exchange is done through the following steps:


On CA Server Find and open the Certification Authority MMC

Right click on Certificate Templates and click Manage

clip_image001[4]

IN certificate templates console right click on Web Server and click Duplicate template

clip_image002[4]

Select Windows Server 2003 Enterprise

clip_image003[4]

clip_image004[4]

Enable “Allow private key to be exported”

clip_image005[4]

clip_image006[4]

Select Enroll for the Authenticated users

clip_image007[4]

Back to the Certificate Authority Console, Right click on Certificate Templates and click New -> Certificate template to issue and add the certificate template you created to the list.

clip_image008[4]

Web Server V2 is on top

clip_image009[4]

Let’s check it on Certserv IIS

clip_image010[4]

Certificate is generated for 5 years. The reason why the certificate is generated for 5 years is because the Certification Authority server’s Certificate is limited to 5 years.

So the CA certificate must be set to longer then the client’s requested Certificate limit.

clip_image011[4]

Certification Authority Issuing Certificate validity period extending

To change the Validity Period for the Root CA you can configure a CAPolicy.inf.  To create a CAPolicy.inf file that changes the lifietime of the certificate to 30 years, you would type the following into a text file, and save it with the name CAPolicy.inf in the

C:\Windows directory,:

[Version]

Signature= “$Windows NT$”

[Certsrv_Server]

RenewalValidityPeriod=Years

RenewalValidityPeriodUnits=30

From <http://blogs.technet.com/b/xdot509/archive/2013/06/06/operating-a-windows-pki-renewing-ca-certificates.aspx>

After this you will need to renew the CA certificate from the CA console : right click on your certification authority and choose All Tasks -> then choose -> Renew CA Certificate

clip_image012[4]

When you click on Renew CA certificate you will get the following prompt asking you to stop the CA to renew its Certificate, Click Yes

clip_image013[4]

Once you click on Yes the service will stop and you will get this window telling you if you would like to generate new public and private key it’s up to you to use a new or not but if you choose Yes the clients using the old Certificate might be provoked and you might need to install the new CA Certificate on all clients using GPO.

Click Ok

clip_image014[4]

After clicking OK you will see that you were able to generate the new CA Certificate and then you can issue clients certificates.

clip_image015[4]

In order to allow the CA to issue certificates that has longer than the default age (2 years) you must run the following command line on the CMD on the CA server.

clip_image016[4]

Run the certutil commands above to change the maximum lifetime of certs issued by the CA

certutil -setreg ca\validityperiodunits 30
certutil -setreg ca\validityperiod years
net stop certsvc net stop certsvc

Now when you try to generate a new certificate for your Exchange or any other app you should choose the new template which is 30 years valid.

clip_image018[4]

clip_image019[4]

Free Multi SAN Certificate for your Exchange for two years

 

I am sure there is a lot of people out there who has been looking for free certificate but the search  in google would always give you the same result of the CA providers and the only Free SSL certificate provider which is startcom company that provides a single SAN certificate for a year that.

 

But this provider wosign (Which also uses Startcom CA too) provides 2 years Multi SAN certificate for free (I tried 2 SANs and 6 SANs) and in both cases it worked perfectly for me although I don’t use these certificates for production environment but they are so important for lab and test environments e.g. (Exchange Hybrid Integration or migration and Lync Integration with Lync Online for EV integration).

Link to the free certificate click Here

I am going to write the steps below to get the certificate, also the longest time that I have waited for the certificate was 12 hours but I eventually has got it

 

The multi san cert is limited only to two years maximum but it serves the purpose.

Step 1 :

Fill in the subdomains that you want to use the SSL certificate for. each should be entered in a new line.

Note:

Then select 2 years and the type of Algorithms (mostly SHA2 as it’s more secure)

Step 2: Step 2 is to verify your domain ownership.

To do so you will have to click on Validate Now and then select the email which is entered in your domain’s Whois or the default admin or Administrator@domain.com users

I usually create admin user or have access to the administrator user’s email on Exchange or google apps.

 

Note, The validation process is restricted to be finished in only 60 seconds and that the validation email will get to you in 35 seconds so you only have 25 seconds to copy the validation

 

Step 3:

Generate CSR and paste it in the CSR box and once you paste it click with your mouse anywhere outside of the box in order for the SANs to appear in the small box on the right.

 

clip_image001

 

Once the SANs appear then click on Generate certificate and you should see the below screen

clip_image002

 

I am already using Hybrid integration between Exchange 2013 and Exchange online and the certificate works very well for me.

 

clip_image003

 

Hope you find this useful

Extend MS Exchange Server’s Certificate life

Extend MS Exchange Server’s Certificate life

On the Certification Authority Server open Certification Authority Console (MMC) 
Right click on Certificate Templates and click Manage

IN certificate templates console right click on Web Server and click Duplicate template
Select Windows Server 2003 Enterprise
Enable “Allow private key to be exported”
Under security tab Select Enroll for the Authenticated users
Back to the Certificate Authority Console, Right click on Certificate Templates and click New -> Certificate template to issue and add the certificate template you created to the list.
Web Server V2 is on top
Let’s check it on Certserv IIS
Certificate is generated for 5 years. The reason why the certificate is generated for 5 years is because the Certification Authority server’s Certificate is limited to 5 years.
So the CA certificate must be set to longer then the client’s requested Certificate limit.
Certification Authority Issuing Certificate validity period extending
To change the Validity Period for the Root CA you can configure a CAPolicy.inf.  To create a CAPolicy.inf file that changes the lifietime of the certificate to 30 years, you would type the following into a text file, and save it with the name CAPolicy.inf in the C:Windows directory,:
[Version] 
Signature= “$Windows NT$”
[Certsrv_Server] 
RenewalValidityPeriod=Years 
RenewalValidityPeriodUnits=30
After this you will need to renew the CA certificate from the CA console : right click on your certification authority and choose All Tasks -> then choose -> Renew CA Certificate

When you click on Renew CA certificate you will get the following prompt asking you to stop the CA to renew its Certificate, Click Yes
Once you click on Yes the service will stop and you will get this window telling you if you would like to generate new public and private key it’s up to you to use a new or not but if you choose Yes the clients using the old Certificate might be provoked and you might need to install the new CA Certificate on all clients using GPO.
Click Ok 

After clicking OK you will see that you were able to generate the new CA Certificate and then you can issue clients certificates
    
Note: I created another template with 30 years expiration date this time after I created the CA policy for 30 years too.
Now In order to allow the CA to issue certificates that has longer than the default age (2 years) you must run the following command line on the CMD on the CA server.

And here we go, after requesting the certificate from the server I got 30 years valid certificate.