Updating the service account certificate used to work with certification authority
Posted by Mikhail Yakovlev, Last modified by Mikhail Yakovlev on 13 March 2019 09:48 AM

The certificate used to work with CA is about to expire. How should I update it properly?

The certificate update procedure depends on the certification authority used. Below are the examples for Microsoft Enterprise CA certificates.

Microsoft Enterprise CA 
The most quick and convenient method is re-issue of the certificate using the IndeedCM.CertEnroll.MsCA.exe utility.
Perform the following procedure:

1. Run the CertEnroll.MsCA.exeutility at Indeed CM server with /e <service username> <password> parameter using the account with local administrator privileges, where:

  • service username is the name of service account used to work with certification authorities (serviceca)
  • password is the password of the said account.

Example: IndeedCM.CertEnroll.MsCA.exe /e serviceca password1

Utility execution result is like the following:

DumpVariantStringWorker: 0: "Microsoft Enhanced Cryptographic Provider v1.0"
DumpVariantStringWorker: 1: “Microsoft Base Cryptographic Provider v1.0"
DumpVariantStringWorker: 2: “Microsoft Base DSS Cryptographic Provider"
CA: w2k3e.demo.local\MSCA ’EnrollmentAgent’ certificate has been enrolled successfully.

2. If the request is to be approved of by CA operator, the utility prompts to accept the request and continue operation, indicating the request ordinal number and the name of key container:

CA: w2k3e.demo.local\MSCA
Certificate request is pending.
Request id: 27
Container name: lr-EnrollmentAgent-175d9490-7481-4a29-b567-503d39747354
Please accept request and then install certificate.

3. After the request is approved of, you need to execute a command to install the certificate into storage.
To do so run the CertEnroll.MsCA.exe utility with /i <service username> <password> <requestId> <containerName> parameter, where:

  • service username is the name of service account used to work with certification authorities (serviceca)
  • password is the password of the said account.
  • requestId is the ordinal number of the certificate request.
  • containerName is the name of the key container.

Example: IndeedCM.CertEnroll.MsCA.exe /e serviceca password1 27 lr-EnrollmentAgent-175d9490-7481-4a29-b567-503d39747354

Utility execution result is like the following:

CA: w2k3e.demo.local\MSCA
Certificate has been installed successfully.

4. You can also specify the name of certificate template (Enrollment Agent), if required, as well as certification authority to address (if there are several ones deployed).

Example:CertEnroll.MsCA.exe /e service password /t=”EnrollmentAgent” /c=”WS2008R2.test.local\Indeed-CA”

As a result of utility execution, the certificate storage of the computer with Indeed CM server installed should have a certificate with Enrollement Agent role. The said certificate should feature an exportable private key and set up privileges to manage the private key of service user account. 

You can also issue a new certificate with Certificates snap in. The procedure is described in the Indeed CM installation and configuration manual, System settings to use Microsoft certification authority - > Certificate issue using the Certificates snap in.

(0 vote(s))
Not helpful

Comments (0)
Post a new comment
Full Name: