This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 72%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EW%3C/text%3E%3C/svg%3E)
Hi,
I want to implement 2048 bit key size domain controller certificates for my domain controllers. right now they have 1024 bit key size domain controller certificate.
would like to get below steps verified (let me know if anything else i srequired).
Question 1: Do I have to create an explicit GPO for autoenrollment (renewal) for this new certificate template as my current 1024 domain controller certificate has no explicit GPO configured and they are renewed automatically?
Question 2: Also, once above mentioned steps are executed, will it not renew certificate from 2 different template (original domain controller and new domain controller template with 2048 key) considering existing domain controller certificates are being renewed without having any explicit autoenrollment policy
Thanks in advance for the help
Q1: yes, it is necessary to create an autoenrollment policy when using custom template. However, you may not need to create a custom template. You can utilize "Kerberos Authentication" certificate template which should have proper key length. It already has all proper permissions. And remove "Domain Controller" and "Domain Controller Authentication" templates from CAs.
Q2: see above. Just remove unnecessary templates from CAs.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 28.999999999999996%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVW%3C/text%3E%3C/svg%3E)
》》》Do I have to create an explicit GPO for autoenrollment (renewal) for this new certificate template as my current 1024 domain controller certificate has no explicit GPO configured and they are renewed automatically?
According to my knowledge, I suggest you create an automatic registration strategy
》》》Also, once above mentioned steps are executed, will it not renew certificate from 2 different template (original domain controller and new domain controller template with 2048 key) considering existing domain controller certificates are being renewed without having any explicit autoenrollment policy
As MVP said Just remove unnecessary templates from CA will do
Hope this information can help you
Best wishes
Vicky
