SOLVED

Certificate Templates Question

%3CLINGO-SUB%20id%3D%22lingo-sub-1788355%22%20slang%3D%22en-US%22%3ECertificate%20Templates%20Question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1788355%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20all%2C%3CBR%20%2F%3EI%20hope%20this%20will%20be%20an%20easy%20question.%3C%2FP%3E%3CP%3EOS%3A%20Windows%20Server%202016%20Standard%3CBR%20%2F%3ERunning%20a%20Windows%20Certificate%20Authority.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EScenario%3A%3C%2FSTRONG%3E%20We%20have%20had%20a%20duplicate%20of%20the%20standard%20%3CSTRONG%3E%22Client%20Server%20Authentication%22%3C%2FSTRONG%3E%20template%20published%20for%20quite%20some%20time.%20This%20auto-enrolls%20our%20domain-joined%20compters%20and%20places%20a%20computer%20certificate%20on%20the%20local%20machines.%20At%20this%20point%20I%20need%20to%20adjust%20the%20ACLs%20on%20the%20template%20-%20I%20will%20be%20adding%20an%20additional%20AD%20group%20and%20setting%20that%20group%20as%20a%20%22deny%22%20for%20auto-enroll%20in%20the%20template%20ACL.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EHere%20is%20my%20question%3A%3C%2FSTRONG%3E%20once%20I%20do%20that%2C%20how%20to%20I%20get%20the%20changes%20updated%20on%20the%20%22active%22%20template%3F%3CBR%20%2F%3EI'm%20familiar%20with%20publishing%20a%20template%20that%20is%20new%20for%20us%20in%20the%20normal%20way%20like%20this%3A%3CBR%20%2F%3E%3CEM%3ERight-click%20certificate%20templates%20in%20the%20main%20MMC%20%26gt%3B%20New%20%26gt%3B%20Certificate%20Template%20to%20Issue%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20I'm%20not%20sure%20about%20updating%20an%20existing%20one%20like%20this%20and%20getting%20the%20changes%20out%20there%20to%20the%20domain%20machines%20that%20are%20currently%20pulling%20certs%20from%20this%20template%20with%20auto-enroll.%26nbsp%3B%20I%20could%20just%20delete%20the%20version%20we%20have%20published%20and%20go%20through%20the%20above%20to%20re-publish%20the%20same%20template%20that%20has%20been%20updated%2C%20but%20I'm%20not%20sure%20that%20is%20the%20best%20way.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EAfter%20adjusting%20the%20ACL%2C%20should%20I%20be%20using%20%22%3CEM%3ERe-enroll%20all%20certificate%20holders%3C%2FEM%3E%22%20on%20that%20template%20from%20within%20the%20%22Manage'%20MMC%20instead%3F%3CBR%20%2F%3EThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1788355%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActive%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1788622%22%20slang%3D%22en-US%22%3ERe%3A%20Certificate%20Templates%20Question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1788622%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F565129%22%20target%3D%22_blank%22%3E%40Dave101%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eif%20you%20update%20any%20property%20of%20a%20certificate%20template%20it%20will%20be%20effective%20for%20NEW%20enrollments%20from%20this%20point%20on%20(depends%20a%20bit%20on%20DC%20replication%20because%20the%20change%20has%20to%20be%20replicated%20throughout%20the%20domain).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20existing%20certificates%20on%20systems%20that%20have%20already%20enrolled%20a%20certificate%20based%20on%20this%20template%20will%20not%20be%20affected.%20They%20will%20be%20able%20to%20use%20the%20certificate%20until%20it%20expires.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAt%20one%20customer%20I%20additionally%20had%20to%20remove%20the%20certificate%20template%20from%20the%20CA%20configuration%20and%20re-add%20it%20(New%20-%20certificate%20template%20to%20issue%3B%20not%20the%20template%20itself!).%20But%20from%20my%20point%20of%20view%20this%20should%20not%20be%20necessary.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hello all,
I hope this will be an easy question.

OS: Windows Server 2016 Standard
Running a Windows Certificate Authority.

 

Scenario: We have had a duplicate of the standard "Client Server Authentication" template published for quite some time. This auto-enrolls our domain-joined compters and places a computer certificate on the local machines. At this point I need to adjust the ACLs on the template - I will be adding an additional AD group and setting that group as a "deny" for auto-enroll in the template ACL.

 

Here is my question: once I do that, how to I get the changes updated on the "active" template?
I'm familiar with publishing a template that is new for us in the normal way like this:
Right-click certificate templates in the main MMC > New > Certificate Template to Issue

 

However, I'm not sure about updating an existing one like this and getting the changes out there to the domain machines that are currently pulling certs from this template with auto-enroll.  I could just delete the version we have published and go through the above to re-publish the same template that has been updated, but I'm not sure that is the best way.


After adjusting the ACL, should I be using "Re-enroll all certificate holders" on that template from within the "Manage' MMC instead?
Thanks!

2 Replies
Highlighted
Best Response confirmed by Dave101 (New Contributor)
Solution

Hi @Dave101,

 

if you update any property of a certificate template it will be effective for NEW enrollments from this point on (depends a bit on DC replication because the change has to be replicated throughout the domain).

 

However, existing certificates on systems that have already enrolled a certificate based on this template will not be affected. They will be able to use the certificate until it expires.

 

At one customer I additionally had to remove the certificate template from the CA configuration and re-add it (New - certificate template to issue; not the template itself!). But from my point of view this should not be necessary.

Highlighted

@BenKrah Thanks for the reply Ben.  I will just do the template update only then and see how that goes with new certificates after that point.