We are looking to mitigate the PetitPotam vulnerability on our internal 2Tier active Directory CA hierarchy. There is a very clear MS document here...
The very first instruction says "We recommend enabling EPA and disabling HTTP on AD CS servers."
However...there are no additional instructions on editing the CDP / AIA extensions in the subordinate CA server config.
My question is - what happens to already issued certificates without HTTPS in their certificate configuration and surely we need to add HTTPS extensions to the Subordinate CA configuration?
I'm worried that simply following this document will have a detrimental affect on my PKI infrastructure?
Any advice, explanations would be most gratefully welcomed!