Allow for Additional Certificate Find Types
Right now, Axiom only allows for two of the possible X509FindTypes when configuring Axiom to use HTTPS. It would be helpful to be able to choose FindByTemplateName as the Find Type instead. This would also be helpful for the other Canary services that use certificates.
-
Hi laruer ,
What is the use case for this over using the SubjectName instead?
-
Steve Mason In many environments, a server may be configured for certificate auto-enrollment. This service will automatically renew certificates when they expire. Due to the requirements of many mobile devices, these certificates may need to be renewed every 398 days. A server may receive many certificates from the auto-enrollment service, all using the same SubjectName, but using different certificate templates. Therefore, it would be beneficial to specify FindByTemplateName so that when a certificate is automatically renewed, Canary services will be able to use it. As it stands right now, the only other option is to use FindByThumbprint. But with automatically renewing certificates, the thumbprint changes each time the certificate is renewed, requiring a manual change of the thumbprint within the settings of each Canary service.
-
laruer When the certificate with a particular template name is renewed, are older certificates with the same template name removed? I.E. Is there only one certificate with a particular template name on the system at any given time or could there be multiple certificates that would be returned with a FindByTemplateName search?
-
Josh Wolf Yes, the old certificate based on that template is removed and a new one takes its place. This happens on a group policy refresh. At least, in our environment, that is the case.
-
Print this page