Hi,
After testing on my side, I found some interesting results.
When establishing the connection, the WEF will choose the certificate with the highest Thumbprint (if multiple ones are matching the requirements : right CA and Client Authentication, at least).
So I kinda bruteforce it by renewing a certificate with the same key and checking if the certificate has the highest thumbprint of all the certificates. And it worked systematically on all my machines.
On some machines I had like 10 certificates and it took one or two minutes to generate.
As I used a special certificate template, I recognised my good certificate with this template name.
It uses the renew certificate function in the same domain. So it DOESN'T work for out of domain server. But the solution of the highest thumbprint is still the same.
Here is a sample of the ps1 script I made (not the best but it works at least) :
## This script has to be run as Administrator on a WEF Server
## Initial configuration
$templateName='YOUR_TEMPLATE_NAME'
## Initial Case
## Find the certificate matching YOUR_TEMPLATE_NAME as a template name
## Here it works for the french and english version of Windows, feel free to add yours
$cert=Get-ChildItem 'Cert:\LocalMachine\My' | Where-Object{ $_.Extensions | Where-Object{ (($_.Oid.FriendlyName -eq 'Certificate Template Information') -or ($_.Oid.FriendlyName -eq 'Informations du modèle de certificat') ) -and ($_.Format(0) -match $templateName) }}
## List the certificates and select the maximum
$list_certificates_thumbprint = Get-ChildItem 'Cert:\LocalMachine\My' | Select-Object Thumbprint
$maximum=($list_certificates_thumbprint | Measure-Object -Property Thumbprint -Maximum).maximum
$is_max = $false
if ($cert.Thumbprint -eq $maximum)
{
$is_max = $true
Write-Host "## The certificate is valid to authenticate with the WEC"
}
else
{
Write-Host "## The certificate is valid to authenticate with the WEC. Launching the generation of a new one."
While($is_max -eq $false)
{
&certreq @('-Enroll', '-machine', '-q', '-cert', $cert.SerialNumber, 'Renew', 'ReuseKeys')
$list_certificates_thumbprint = Get-ChildItem 'Cert:\LocalMachine\My' | Select-Object Thumbprint
$maximum=($list_certificates_thumbprint | Measure-Object -Property Thumbprint -Maximum).maximum
$cert=Get-ChildItem 'Cert:\LocalMachine\My' | Where-Object{ $_.Extensions | Where-Object{ (($_.Oid.FriendlyName -eq 'Certificate Template Information') -or ($_.Oid.FriendlyName -eq 'Informations du modèle de certificat') ) -and ($_.Format(0) -match $templateName) }}
if ($cert.Thumbprint -eq $maximum)
{
$is_max = $true
Write-Host "## The certificate is valid to authenticate with the WEC."
}
}
}
## Here I launch a gpupdate to renew the subscription on my WEF
Write-Host "## Lancement d'un gpupdate"
gpupdate /force