I hope this will be an easy question.
OS: Windows Server 2016 Standard
Running a Windows Certificate Authority.
Scenario: We have had a duplicate of the standard "Client Server Authentication" template published for quite some time. This auto-enrolls our domain-joined compters and places a computer certificate on the local machines. At this point I need to adjust the ACLs on the template - I will be adding an additional AD group and setting that group as a "deny" for auto-enroll in the template ACL.
Here is my question: once I do that, how to I get the changes updated on the "active" template?
I'm familiar with publishing a template that is new for us in the normal way like this:
Right-click certificate templates in the main MMC > New > Certificate Template to Issue
However, I'm not sure about updating an existing one like this and getting the changes out there to the domain machines that are currently pulling certs from this template with auto-enroll. I could just delete the version we have published and go through the above to re-publish the same template that has been updated, but I'm not sure that is the best way.
After adjusting the ACL, should I be using "Re-enroll all certificate holders" on that template from within the "Manage' MMC instead?
if you update any property of a certificate template it will be effective for NEW enrollments from this point on (depends a bit on DC replication because the change has to be replicated throughout the domain).
However, existing certificates on systems that have already enrolled a certificate based on this template will not be affected. They will be able to use the certificate until it expires.
At one customer I additionally had to remove the certificate template from the CA configuration and re-add it (New - certificate template to issue; not the template itself!). But from my point of view this should not be necessary.