Computer certificate re-enrollment after ADCS architecture change and certificate revocation
Originally, I set up an ADCS server as an Enterprise Root CA. Automatic certificate enrollment was enabled via a GPO and computers were automatically assigned certificates. The more I learned about ADCS this year, the more uncomfortable I became with this configuration from a security perspective. I added an intermediate SubCA recently which was configured to use the Computer template. I removed the Computer template (and all other templates except for the SubCA template) from the Enterprise Root. Then I revoked all of the computer certificates on the Enterprise Root CA. I figured they would all just re-enroll automatically on the SubCA (I'm using a GPO to enable this) but that is not what happened. They are not re-enrolling. I confirmed that I am able to issue Computer certificates from the SubCA manually using MMC and the Certificates snap-in. I discovered how to remove the old, revoked certificates from the clients with PowerShell but the Get-Certificate applet is simply not working so I cannot issue new certificates from the SubCA. If I have to, I can manually assign new Computer certificates but there has got to be an easier way to do this (I was counting on the automatic certificate enrollment option). Ideally, I just want the computers to automatically obtain new certificates from the new SubCA. My hypothesis that the computers would simply re-enroll on the SubCA after their certificates were revoked proved to be incorrect but I cannot understand why. I've been researching this for about a week now and cannot figure out what I am missing so am hoping one of you may be able to offer some insight.
Add Template Support for Custom Policy Module for Enterprise CA
Hi all, I hope, I'm in the right community hub here. We are developing a custom policy module which should do nothing else than change adapt some values given by the CSR for a set of given templates. Despite we did quite an amount of research we weren't able to find more than the Microsoft Documentation and the sample (also provided by MS) here: https://github.com/microsoft/Windows-classic-samples/tree/main/Samples/Win7Samples/security/certificateservices/policy/c%2B%2B/WindowsServer2008R2 So, the required functionality can easily be implemented, BUT This sample has no security enabled and does not respect the settings given by the template. E.g. if the template says that a certificate should be valid for 1 year the CA still issues certificates that are valid for 2 years. Is there somewhere any source code available which is suitable for an Enterprise CA that we could take as a base or any other hint where to look for apart from the usual MS Docu which is not very extensive in that respect? Any hints or help would be greatly appreciated.
