Vadims Podāns
Vadims Podāns 15.07.2020 07:41 (GMT+3) Certificate Autoenrollment in Windows Server 2016 (part 3)

> When a client gets renamed does it request a new certificate under the new name?

no.

> Is there a setting that controls this?

most likely no.

Chris
Chris 15.07.2020 00:37 (GMT+3) Certificate Autoenrollment in Windows Server 2016 (part 3)

When a client gets renamed does it request a new certificate under the new name? Is there a setting that controls this?

Borroms
Borroms 10.07.2020 22:33 (GMT+3) Certificate Autoenrollment in Windows Server 2016 (part 3)

Vadims thank you so much for sharing all your knowledge. I have read a number of your posts and they have helped alot however I wanted to ask if you could help me understand... if with Auto Enrollment enabled in Group Policy, If you created a new certificate template by duplicating a User or Computer template, then add that new certificate to the list of available templates, how does the Windows computer know to use these new templates and not the original default ones that are still enabled?

I have been reading up on NDES and apparently there are registry settings we can change to specify the template name so it won't use the default IPSEC template when a device (like a router) goes to request a certificate from it. I just can't seem to find any clear info on how the new User/Computer templates are being selected. The only thing I can assume is that Auto Enrollment just "magically" chooses the latest duplicated certificate? Any guidance would be greatly appreciated. Thank you.

Rene
Rene 03.07.2020 15:26 (GMT+3) Root CA certificate renewal
Hi, thx for you answer. OK, leave them as it is sounds good, but what i have to do on 08.07 when its expired? Delete them or not? In my lab, everything works. But 802.1x its not possible to test in my local LAN without any GW and routing. I inspected the EAPOL frames with wireshark. This showed me, that the new CA Certs will be used to validate. The server hello and the client hello showed the right issuing ca cert to me... so i think it have to work.I rollout all new certs to the clients and servers with gpo... on our MACs during Catalina upgrade, we deleted all old certs and recreated the computer cert. This works fine, 802.1x and cert based vpn auth. have no issues. NPS Server cert is also in place with a new cert... so it should be working... everthing... on 08.07. i will see it :-) BR Rene´
Vadims Podāns
Vadims Podāns 02.07.2020 20:31 (GMT+3) Root CA certificate renewal

> should i remove the old CA cert with PKIVIEW BEFORE this date or should i let this entry like it is and not deleting it?

It depends, but my recommendation is to leave them as is.

> I have read in the web, if you use 802.1x Auth for LAN an WLAN, it could be happend, that the Windows Radius choose the wrong chain certificate and then the auth of the clients will fail.

NEVER reuse keys during CA renewal to avoid this. Check Recommendations section in this blog post.