When a client gets renamed does it request a new certificate under the new name? Is there a setting that controls this?
Vadims thank you so much for sharing all your knowledge. I have read a number of your posts and they have helped alot however I wanted to ask if you could help me understand... if with Auto Enrollment enabled in Group Policy, If you created a new certificate template by duplicating a User or Computer template, then add that new certificate to the list of available templates, how does the Windows computer know to use these new templates and not the original default ones that are still enabled?
I have been reading up on NDES and apparently there are registry settings we can change to specify the template name so it won't use the default IPSEC template when a device (like a router) goes to request a certificate from it. I just can't seem to find any clear info on how the new User/Computer templates are being selected. The only thing I can assume is that Auto Enrollment just "magically" chooses the latest duplicated certificate? Any guidance would be greatly appreciated. Thank you.
> should i remove the old CA cert with PKIVIEW BEFORE this date or should i let this entry like it is and not deleting it?
It depends, but my recommendation is to leave them as is.
> I have read in the web, if you use 802.1x Auth for LAN an WLAN, it could be happend, that the Windows Radius choose the wrong chain certificate and then the auth of the clients will fail.
NEVER reuse keys during CA renewal to avoid this. Check Recommendations section in this blog post.
> When a client gets renamed does it request a new certificate under the new name?
no.
> Is there a setting that controls this?
most likely no.