In a Windows PKI, what is a Workstation Authentication CA Template used for? What happens if it expires?
Many workstations have an expiring computer certificate that was issued using the Workstation Authentication CA template. The CA of this template expires in 2 days.
I've deployed a new CA, with an extended date, and have successfully enrolled many machines this weekend.
I'm now concerned about workstations that are powered off, or otherwise didn't get a new computer certificate from the Enterprise CA.
Q:
- What are the Workstation Certificates used for? Kerberos?
- Will users/machines be able to login Monday morning (post expiration date)?
- Once the certificates are expired, will it be possible for the machines to get new certificates?
Since I'm using Windows 2012 R2, it's possible that downlevel NTLM would be used as an alternative to Kerberos and this isn't an issue... although I'm not sure if this is acceptable in all cases: (e.g. DCOM enrollment of certificates)
Solution 1:
• What are the Workstation Certificates used for? Kerberos?
No. Kerberos doesn't use SSL/TLS certificates.**
An administrator may choose to use a given certificate template for any number of different things, so I'd say it's impossible for us to know right now what exactly those certificates were being used for in your environment.
The Workstation Authentication template is very similar to the Computer certificate template, though. Both of these cert templates offer computer authentication. So the certificates could be used to establish machine-to-machine SSL/TLS connections.
For instance, one example of how the Workstation Authentication certificates might have been used is for client authentication with SCCM, so that SCCM knows it's talking to the right client.
• Will users/machines be able to login Monday morning (post expiration date)?
Most likely. Active Directory doesn't require certificates to be able to log in to the domain under a typical configuration. But you may have some ancillary service in your environment that breaks... whatever was using those certs before, we don't know.
• Once the certificates are expired, will it be possible for the machines to get new certificates?
You configure certificate auto-enrollment policies in Active Directory by using a combination of Group Policy, and permissions on the certificate template that allow the machines to auto-enroll. You should almost never need or want to be manually enrolling in certificates in an Active Directory environment.
Since I'm using Windows 2012 R2, it's possible that downlevel NTLM would be used as an alternative to Kerberos and this isn't an issue... although I'm not sure if this is acceptable in all cases: (e.g. DCOM enrollment of certificates)
A client's ability to enroll in a certificate from an enterprise CA will not be affected by whether that client has a valid certificate or not. It's a different certificate template from what I can tell from your post, so the fact that the old certificate template is expired won't play in to whether a computer can automatically re-enroll in it or not. If it's a new template, you need to configure Group Policy to allow for auto-enrollment of that new template.
** - Not for the purposes of this discussion.
Solution 2:
What are the Workstation Certificates used for? Kerberos?
they can be used for client authentication during secure channel negotiation (for example, in IPsec or in L2TP VPN). They are not used for initial client authentication, when machine starts up.
Will users/machines be able to login Monday morning (post expiration date)?
yes, why not?
Once the certificates are expired, will it be possible for the machines to get new certificates?
manually -- yes, automatically -- no. Even if you are using autoenrollment, they must be renewed before they expire, otherwise, autoenrollment will not be able to sign renewal request.
and to summarize: client certificates are not used untill some application is configured to perform certificate-based authentication for computers (not users).