Certificate template superseded

michael schawel 21 Reputation points
2020-12-17T08:38:05.957+00:00

Hello

We have a template called "Template A". We duplicated that template and called it "Template A New" and set the old template "Template A" as superseded.
"Template A" was configured for auto-enrollement, and all our clients and servers have a machine certificate from the old template.
Now I want to test "Template A New". From the new template I removed the group that contained all of our clients and servers and added a group that only contains 3 Test servers.
Now my question: Since the old template is marked as superseded, does that have any impact on the certificates based on the old template?

Thanks in advance for any clarification

Michael

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,714 questions
0 comments No comments
{count} votes

Accepted answer
  1. Hannah Xiong 6,231 Reputation points
    2020-12-21T06:52:35.557+00:00

    Hello Michael,

    Thank you so much for more explanation.

    So sorry that I do not have the same environment to do the test. Below is my similar test, we could kindly have a check whether it helps.

    I have a template called "Copy of Computer" for Client/Server Authentication. A group called "comp" has rights for auto-enrollement on "Copy of Computer".

    The client within the "comp" group have this certificate based on "Copy of Computer" template.

    49757-1111.png

    49758-1112.png

    I duplicated "Copy of Computer" to "Copy 2 of Computer" and marked "Copy of Computer" as superseded. I also removed "comp" group from the new Template "Copy 2 of Computer".

    In the security tab on "Copy 2 of Computer" I add another Server, and give permissions for read and auto-enrollment.

    49739-1113.png

    49759-1114.png

    The results are shown below:

    1, On the SRV server, the new certificate based on "Copy 2 of Computer" will be installed.

    49819-1115.png

    2, In my test, the client within the "comp" group still have the certificate based on a template that is superseded.

    49760-1116.png

    So from my test, the old certificate will not be affected by the superseded setting. It is suggested that we could try to do the test firstly to avoid any problems.

    For any question, please feel free to contact us.

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

6 additional answers

Sort by: Most helpful
  1. Hannah Xiong 6,231 Reputation points
    2020-12-17T09:34:18.853+00:00

    Hello,

    Thank you so much for posting here.

    Certificate autoenrollment also supports the concept of superseding a template or a previously enrolled certificate. Superseding a template allows an administrator to reenroll, change or combine previously issued certificate enrollments into a new certificate enrollment. Autoenrollment always examines existing certificates in the user's store and determines if the template used in the issued certificate has been superseded. If a certificate template has been superseded, the user will automatically be enrolled with the new template, and the old certificates will be deleted or archived depending on the template setting.

    Reference: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-xp/bb456981(v=technet.10)?redirectedfrom=MSDN#ECAA

    For any question, please feel free to contact us.

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. michael schawel 21 Reputation points
    2020-12-17T09:49:11.387+00:00

    Hello Hannah

    Thank you for the reply.

    As I wrote, before I auto-enroll new certicates based on the new template, I want to do a test with only 3 Test servers. All the certificates (with the exception for the 3 Test Servers) based on the old template should remained untouched.
    Since I marked the old template as superseded, my question is, are the old certificates affected in any way by the superseded flag?

    For clarification: I want to do this Test because our Exchange guy told me that there might will be a problem with Exchange Servers with UM Role when the Computer Certificate will be changed.

    Thanks

    Michael

    0 comments No comments

  3. Hannah Xiong 6,231 Reputation points
    2020-12-18T02:20:23.873+00:00

    Hello Michael,

    You are welcome. Thank you so much for your kindly reply.

    I did the test. Once we marked the old template as superseded, the certificates based on the old template will be deleted and the computers will get the certificates based on the new template.

    As mentioned before, If a certificate template has been superseded, the user will automatically be enrolled with the new template, and the old certificates will be deleted or archived depending on the template setting.

    The old certificates will be affected once the old template is marked as superseded.

    We could try to do the test. For any question, please feel free to contact us.

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  4. Martin Rublik 316 Reputation points
    2020-12-18T09:31:28.847+00:00

    I one more thing to add,

    the certificates based on the superseded template will be archived/deleted only if you have rights on auto-enrolling the new template. So you can test the new template for the respective three servers, but you need to keep in mind that for these three servers the certicates will be archived / deleted.

    Martin

    0 comments No comments