Computer certificate re-enrollment after ADCS architecture change and certificate revocation
Originally, I set up an ADCS server as an Enterprise Root CA. Automatic certificate enrollment was enabled via a GPO and computers were automatically assigned certificates. The more I learned about ADCS this year, the more uncomfortable I became with this configuration from a security perspective. I added an intermediate SubCA recently which was configured to use the Computer template. I removed the Computer template (and all other templates except for the SubCA template) from the Enterprise Root. Then I revoked all of the computer certificates on the Enterprise Root CA. I figured they would all just re-enroll automatically on the SubCA (I'm using a GPO to enable this) but that is not what happened. They are not re-enrolling. I confirmed that I am able to issue Computer certificates from the SubCA manually using MMC and the Certificates snap-in. I discovered how to remove the old, revoked certificates from the clients with PowerShell but the Get-Certificate applet is simply not working so I cannot issue new certificates from the SubCA. If I have to, I can manually assign new Computer certificates but there has got to be an easier way to do this (I was counting on the automatic certificate enrollment option). Ideally, I just want the computers to automatically obtain new certificates from the new SubCA. My hypothesis that the computers would simply re-enroll on the SubCA after their certificates were revoked proved to be incorrect but I cannot understand why. I've been researching this for about a week now and cannot figure out what I am missing so am hoping one of you may be able to offer some insight.
PKIVIEW download error
We are deploying a 2-tier PKI with an offline Root CA and an Enterprise SubCA. After deploying the Root CA with CRL and AIA pointing to a web server http://crl.company.com we copied there the Root CA's Certificate and CRL. From the subordinate CA server we're able to open the publishing web site and load the crl and crt via Web browser. However when using PKIVIEW to check the setup we saw a "Download error" for both the Root and Subordinate CA. is there anyone that can help on this ? thanks
