certificate enrollment based on existing trust
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 66%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
Tankwell
136
Reputation points
Hey,
this is a bit irregular question. let me describe what I have now
We had an old Microsoft certificate Authority which we want to demote (i.e server A). This old server had issued certificates from template A, to a lot of servers in the environment
We now installed new certificate server (i.e server B), and created a better template (template B) for our daily use.
We want to get rid of the old cert server, but before that we must set all the clients with certificates from template A to issue certs from template B.
Right now, we have Group Policy (with right certificate template settings) which let the clients to enroll new certs from template B, but they are waiting for our authorization [from security reasons, we dont want the certificates automatically being issued]
What we do want to do is to issue certs from template B to all those who has valid template A certs .
- Is there a technical way to do this? to auto issue certs from template B based on existence of template A cert? how do you create a trust between the templates?
- What are your suggestions?
- Is there a procedure how to demote a certificate server? I have found the following page on Microsoft Learn, but they did not talked there about how you set up the certificate clients correctly and how to make sure they all have migrated; to work with the new CA
Thanks
Tankwell
Windows for business | Windows Server | User experience | Other
Sign in to answer