Allow for Additional Certificate Find Types

Feedback / Product Ideas and Feature Requests / Axiom

laruer
1 yr ago
4replies
Released

Right now, Axiom only allows for two of the possible X509FindTypes when configuring Axiom to use HTTPS. It would be helpful to be able to choose FindByTemplateName as the Find Type instead. This would also be helpful for the other Canary services that use certificates.

- smason
- 1 yr ago
- Reported - view
Hi laruer ,

What is the use case for this over using the SubjectName instead?
- laruer
  
  1 yr ago
  
  Reported - view
  Steve Mason In many environments, a server may be configured for certificate auto-enrollment. This service will automatically renew certificates when they expire. Due to the requirements of many mobile devices, these certificates may need to be renewed every 398 days. A server may receive many certificates from the auto-enrollment service, all using the same SubjectName, but using different certificate templates. Therefore, it would be beneficial to specify FindByTemplateName so that when a certificate is automatically renewed, Canary services will be able to use it. As it stands right now, the only other option is to use FindByThumbprint. But with automatically renewing certificates, the thumbprint changes each time the certificate is renewed, requiring a manual change of the thumbprint within the settings of each Canary service.
- Senior Software Engineer
  
  Josh_Wolf
  
  1 yr ago
  
  Reported - view
  laruer When the certificate with a particular template name is renewed, are older certificates with the same template name removed? I.E. Is there only one certificate with a particular template name on the system at any given time or could there be multiple certificates that would be returned with a FindByTemplateName search?
- laruer
  
  1 yr ago
  
  Reported - view
  Josh Wolf Yes, the old certificate based on that template is removed and a new one takes its place. This happens on a group policy refresh. At least, in our environment, that is the case.