Certificate Services Templates

Garry O'Neill 20 Reputation points
2023-09-04T03:43:00.9+00:00

Hello, I've deployed a new PKI environment, Offline Root CA with two Enterprise Subordinate CAs, into my existing environment. The goal is to replace the old PKI environment with this new one.

When I installed the Subordinate CAs I used a CAPolicy.Inf file and specified the LoadDefaultTemplates = 0.

On the old CA all of the templates have been loaded but on the new CAs they are not. Do I need to load all of the templates that I can see on the old CA server to the new CA servers?

As an example, all of these templates are loaded onto the old CA.

'Administrator', 'Authenticated Session', 'Basic EFS', 'CA Exchange', 'CEP Encryption', 'Code Signing', 'Computer', 'Cross Certification Authority', 'Directory Email Replication', 'Domain Controller', 'Domain Controller Authentication', 'EFS Recovery Agent', 'Enrollment Agent', 'Enrollment Agent (Computer)', 'Exchange Enrollment Agent (Offline request)', 'Exchange Signature Only', 'Exchange User', 'IPSec', 'IPSec (Offline request)', 'Kerberos Authentication', 'Key Recovery Agent', 'OCSP Response Signing', 'RAS and IAS Server', 'Router (Offline request)', 'Smartcard Logon', 'Smartcard User', 'Subordinate Certification Authority', 'Trend Subordinate Certification Authority', 'Trust List Signing', 'User', 'User Signature Only'
Are they all needed? Do I now need to add these to my new CAs? Like most people, when I need a template, I duplicate the default one, configure as needed and then load. Which suggests to me that all of those default ones don't really need to be loaded? And as part of the decommissioning process do I then remove all of these templates from the old CA?

We are using Auto Enrollment to push User and Computer certs to our users and computers. In order to start using the new CAs, would I then create a new user and computer template on each new CA server and then add the old user and computer templates as superseded templates? and then kick of a re-enroll? Is there a way to test this?

Again, I assume I would remove the old user and computer templates from the old CA?

Any advice would be appreciated.

Thanks!

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,104 questions
0 comments No comments
{count} votes

Accepted answer
  1. Daisy Zhou 24,046 Reputation points Microsoft Vendor
    2023-09-13T06:55:33.9733333+00:00

    Hello Garry O'Neill,

    Thank you for posting in Q&A forum.

    Q1: On the old CA all of the templates have been loaded but on the new CAs they are not.
    Do I need to load all of the templates that I can see on the old CA server to the new CA servers?

    A1: What did you mean "Load" all of the templates? Did you mean right click "Certificate Templates" container and select "New"-"Certificate Template to issue"? If so, you can load all of the templates because after the old CA was decommissioned, you will use new CA to issue certificates to all the end entities.

    Q2: Are they all needed? Do I now need to add these to my new CAs?

    A2: If these templates are using on old CA, you can load them now or before old CA decommissioned.
    Maybe there are some certificate templates are on old CA, but it is not in use, and you will not use them in future, you do not need to load such certificate templates.

    A3: Which suggests to me that all of those default ones don't really need to be loaded?

    A3: If the default certificate templates are in use and you will need them in future, you need to load them.

    Q4: And as part of the decommissioning process, do I then remove all of these templates from the old CA?

    A4: I think you do not need. Because the certificate templates stored on AD configuration partition in the forest, you will need them on new CA.

    Q5: would I then create a new user and computer template on each new CA server and then add the old user and computer templates as superseded templates?
    A5: you can use the old user and computer templates or you can create/duplicate new user and computer template if any settings on old user and computer template did not meet your requirements.

    Note:

    1.Certificate templates are stored in AD configuration partition, all the PKI (if you have more than one PKI structures), all the PKI structure share the same templates.

    2.On different CAs, you can use these templates on any CA server. You can also create/duplicate new certificate templates depending on the needs if needed on any CA server.

    3.But the important thing is, before you decommissioned old CA, all the certificates issued by old CA server must be issued by new CA server if you still need these certificates to be working on the end entities.

    Hope the information above is helpful.

    If you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Limitless Technology 44,341 Reputation points
    2023-09-05T10:57:41.3133333+00:00

    Hello

    Thank you for your question and reaching out.

    The certificate template created by enterprise PKI is saved on the forest level configuration partition and replicated on all domain controllers in the forest.

    If all of the certificate templates are missing, we can open the certificate template console and see where the certificate templates are stored (if the domain has more than one DC).

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.