Certificate template superseded

Question

Hello

We have a template called "Template A". We duplicated that template and called it "Template A New" and set the old template "Template A" as superseded.
"Template A" was configured for auto-enrollement, and all our clients and servers have a machine certificate from the old template.
Now I want to test "Template A New". From the new template I removed the group that contained all of our clients and servers and added a group that only contains 3 Test servers.
Now my question: Since the old template is marked as superseded, does that have any impact on the certificates based on the old template?

Thanks in advance for any clarification

Michael

Answer 1

Hello Michael,

Thank you so much for more explanation.

So sorry that I do not have the same environment to do the test. Below is my similar test, we could kindly have a check whether it helps.

I have a template called "Copy of Computer" for Client/Server Authentication. A group called "comp" has rights for auto-enrollement on "Copy of Computer".

The client within the "comp" group have this certificate based on "Copy of Computer" template.

I duplicated "Copy of Computer" to "Copy 2 of Computer" and marked "Copy of Computer" as superseded. I also removed "comp" group from the new Template "Copy 2 of Computer".

In the security tab on "Copy 2 of Computer" I add another Server, and give permissions for read and auto-enrollment.

The results are shown below:

1, On the SRV server, the new certificate based on "Copy 2 of Computer" will be installed.

2, In my test, the client within the "comp" group still have the certificate based on a template that is superseded.

So from my test, the old certificate will not be affected by the superseded setting. It is suggested that we could try to do the test firstly to avoid any problems.

For any question, please feel free to contact us.

Best regards,
Hannah Xiong

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Sorry, my initial question was not so clear.

Lets try to explain it better:

I have 2 CA, and old one and a new one (I am in the process of migration old CA to new CA)

On the old CA, I have a template called "Template one" for Cient/Server Authentication. A group called "group 1" has rights for auto-enrollement on "Template One"

On the new CA I duplicated "Template one" to "Template One New" and marked "Template One" as superseded. I also removed "group 1" from the new Template "Template One New".

Now I need to make a Test.

In the security tab on "Template One New" I add a new group that contains 3 Exchange Server, and give permisssions for read and auto-enrollment.

The result will be that after a gpupdate on the 3 Exchange Servers the Certificate from "Template" one will be removed and the new template "Template One New" will be installed.

After that test all our clients and servers (except the 3 Exchange Servers) still have the "Cient/Server Authentication Certificate" based on a template that is superseded.

Are those old certificates affeced in any way by the superseded setting? (This is the question I need to find an answer for)

I need to know this because I dont want to do this test with the 3 Exchange Servers before it is not 100% clear for me that the test will not have any impact on the other hundreds of other clients and servers in our network.

Thanks

Michael

Answer 3

From my experience with a domain controller server certificate, when we superseded it, it would no longer auto-enroll, even though the old superseded certificate was still set to auto-enroll until we were ready to flip over. So make sure you are aware of this when you supersede a certificate template. Basically it will stop auto enrolling.