Best practice to replace legacy Computer (machine) certificate

Trix M 21 Reputation points
2023-06-09T03:13:59.8166667+00:00

What is the recommended best-practice to replace the legacy Computer certificate on (hybrid) AD-joined workstations (and servers)?

We have a legacy CA and a newer CA in the environment - unfortunately no-one took steps to fully decommission the old CA, and it is still issuing machine certificates to all domain computers. We want to ensure the newer CA is issuing the appropriate certs prior to decommissioning the old CA.

What is the recommended template to supersede the legacy machine cert? I understand the legacy Computer template contains both Client and Server OIDs and the default Workstation template only contains the Client OID. Is a certificate based on the Workstation template suitable for baseline security for domain clients, such as authentication and even SCCM ? (Naturally we'd configure a suitable key length and validity interval).

We're not intending to use these certs for VPN, Intune clients etc (those are managed separately). I can't find any Microsoft recommendations on a baseline domain client cert, so if there is such guidance, I'd appreciate a pointer to that too.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,658 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,932 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,854 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 44,406 Reputation points
    2023-06-09T12:37:33.0233333+00:00

    Hello there,

    If you have an on-premises Active Directory Domain Services (AD DS) environment and you want to join your AD DS domain-joined computers to Azure AD, you can accomplish this task by doing hybrid Azure AD join.

    In a hybrid deployment, digital certificates are an important part of securing the communication between the on-premises Exchange organization and Microsoft 365 or Office 365. Certificates enable each Exchange organization to trust the identity of another. Certificates also help to ensure that each Exchange organization is communicating to the right source.

    Certificate requirements for hybrid deployments https://learn.microsoft.com/en-us/exchange/certificate-requirements

    Plan your hybrid Azure Active Directory join implementation https://learn.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan

    Hope this resolves your Query !!

    --If the reply is helpful, please Upvote and Accept it as an answer–


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.