What is the best way to reissue user certificates after configuration change in a template?
I have setup my MS-ADCS environment in my company and configured auto-enrollment. i have everything working great, but found out that I want my "Subject Name Format" to have a different value.
We are not using the certificates yet in any service, so there's no real problem removing them and reissue new ones.
My question is - what the the best way or the right way to remove all issued certificates (~200) with the wrong subject value and deploy the new certificates with the new (and right) subject value? All users are in AD and I can use scripts or group policy if needed.
Thanks.
EDIT: just to clarify my intent - I prefer to remove/delete the issued certificates with the wrong subject format and don't care at this point about revocation list (note - I am aware to the consequence).
certificates public-key-infrastructure
asked Dec 17 at 8:56
DaveIce
515
add a comment |
I have setup my MS-ADCS environment in my company and configured auto-enrollment. i have everything working great, but found out that I want my "Subject Name Format" to have a different value.
We are not using the certificates yet in any service, so there's no real problem removing them and reissue new ones.
My question is - what the the best way or the right way to remove all issued certificates (~200) with the wrong subject value and deploy the new certificates with the new (and right) subject value? All users are in AD and I can use scripts or group policy if needed.
Thanks.
EDIT: just to clarify my intent - I prefer to remove/delete the issued certificates with the wrong subject format and don't care at this point about revocation list (note - I am aware to the consequence).
certificates public-key-infrastructure
asked Dec 17 at 8:56
DaveIce
515
add a comment |
I have setup my MS-ADCS environment in my company and configured auto-enrollment. i have everything working great, but found out that I want my "Subject Name Format" to have a different value.
We are not using the certificates yet in any service, so there's no real problem removing them and reissue new ones.
My question is - what the the best way or the right way to remove all issued certificates (~200) with the wrong subject value and deploy the new certificates with the new (and right) subject value? All users are in AD and I can use scripts or group policy if needed.
Thanks.
EDIT: just to clarify my intent - I prefer to remove/delete the issued certificates with the wrong subject format and don't care at this point about revocation list (note - I am aware to the consequence).
certificates public-key-infrastructure
asked Dec 17 at 8:56
DaveIce
515
I have setup my MS-ADCS environment in my company and configured auto-enrollment. i have everything working great, but found out that I want my "Subject Name Format" to have a different value.
We are not using the certificates yet in any service, so there's no real problem removing them and reissue new ones.
My question is - what the the best way or the right way to remove all issued certificates (~200) with the wrong subject value and deploy the new certificates with the new (and right) subject value? All users are in AD and I can use scripts or group policy if needed.
Thanks.
EDIT: just to clarify my intent - I prefer to remove/delete the issued certificates with the wrong subject format and don't care at this point about revocation list (note - I am aware to the consequence).
certificates public-key-infrastructure
certificates public-key-infrastructure
asked Dec 17 at 8:56
DaveIce
515
asked Dec 17 at 8:56
DaveIce
515
edited Dec 17 at 9:22
asked Dec 17 at 8:56
DaveIce
515
asked Dec 17 at 8:56
DaveIce
515
asked Dec 17 at 8:56
DaveIce
515
515
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
ADCS has a feature for this.
Assuming you have the Certificate Services Client - Auto-Enrollment group policy configured, simply create a new template in the MMC with the correct SAN configuration and add the original template name to the Superseded Templates tab. Group policy will enroll for a new certificate with this template and delete the original for you.
There's no need to revoke anything as nothing's been compromised.
answered Dec 17 at 10:37
garethTheRed
482210
Nice! That makes perfect sense... +1 for the answer, I'll update about the results.
– DaveIce
Dec 17 at 10:52
add a comment |
If you don't use the certificates at any service and they don't have a real purpose atm, I guess it would be the best to revoke the issuing intermediate CA and create a new one issuing the right certificates.
This would be the most maintainable way to revoke all the certificates and your CRL would not get bloated before you even start using the certificates.
answered Dec 17 at 9:05
Lithilion
1,1172415
that is correct, but I prefer to remove the certificates with the wrong subject and have my users with the corrected certificate.
– DaveIce
Dec 17 at 9:16
add a comment |
I think I've found the answer:
right clicking the template with the new change, there is an option to "Reenroll All Certificate Holders". Once choosing that, the template version increases, so the next time the client verifies the certificate version against the template version on the CA - the client will re-enrolls.
I tested it with a restart of one of the laptops and the result was only 1 user certificate with the right Subject format.
note: i think for this option to show up, Auto-enrollment must be configured for the template.
answered Dec 17 at 11:08
DaveIce
515
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f199893%2fwhat-is-the-best-way-to-reissue-user-certificates-after-configuration-change-in%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
ADCS has a feature for this.
Assuming you have the Certificate Services Client - Auto-Enrollment group policy configured, simply create a new template in the MMC with the correct SAN configuration and add the original template name to the Superseded Templates tab. Group policy will enroll for a new certificate with this template and delete the original for you.
There's no need to revoke anything as nothing's been compromised.
answered Dec 17 at 10:37
garethTheRed
482210
Nice! That makes perfect sense... +1 for the answer, I'll update about the results.
– DaveIce
Dec 17 at 10:52
add a comment |
ADCS has a feature for this.
Assuming you have the Certificate Services Client - Auto-Enrollment group policy configured, simply create a new template in the MMC with the correct SAN configuration and add the original template name to the Superseded Templates tab. Group policy will enroll for a new certificate with this template and delete the original for you.
There's no need to revoke anything as nothing's been compromised.
answered Dec 17 at 10:37
garethTheRed
482210
Nice! That makes perfect sense... +1 for the answer, I'll update about the results.
– DaveIce
Dec 17 at 10:52
add a comment |
ADCS has a feature for this.
Assuming you have the Certificate Services Client - Auto-Enrollment group policy configured, simply create a new template in the MMC with the correct SAN configuration and add the original template name to the Superseded Templates tab. Group policy will enroll for a new certificate with this template and delete the original for you.
There's no need to revoke anything as nothing's been compromised.
answered Dec 17 at 10:37
garethTheRed
482210
ADCS has a feature for this.
Assuming you have the Certificate Services Client - Auto-Enrollment group policy configured, simply create a new template in the MMC with the correct SAN configuration and add the original template name to the Superseded Templates tab. Group policy will enroll for a new certificate with this template and delete the original for you.
There's no need to revoke anything as nothing's been compromised.
answered Dec 17 at 10:37
garethTheRed
482210
answered Dec 17 at 10:37
garethTheRed
482210
answered Dec 17 at 10:37
garethTheRed
482210
answered Dec 17 at 10:37
garethTheRed
482210
482210
Nice! That makes perfect sense... +1 for the answer, I'll update about the results.
– DaveIce
Dec 17 at 10:52
add a comment |
Nice! That makes perfect sense... +1 for the answer, I'll update about the results.
– DaveIce
Dec 17 at 10:52
Nice! That makes perfect sense... +1 for the answer, I'll update about the results.
– DaveIce
Dec 17 at 10:52
Nice! That makes perfect sense... +1 for the answer, I'll update about the results.
– DaveIce
Dec 17 at 10:52
add a comment |
If you don't use the certificates at any service and they don't have a real purpose atm, I guess it would be the best to revoke the issuing intermediate CA and create a new one issuing the right certificates.
This would be the most maintainable way to revoke all the certificates and your CRL would not get bloated before you even start using the certificates.
answered Dec 17 at 9:05
Lithilion
1,1172415
that is correct, but I prefer to remove the certificates with the wrong subject and have my users with the corrected certificate.
– DaveIce
Dec 17 at 9:16
add a comment |
If you don't use the certificates at any service and they don't have a real purpose atm, I guess it would be the best to revoke the issuing intermediate CA and create a new one issuing the right certificates.
This would be the most maintainable way to revoke all the certificates and your CRL would not get bloated before you even start using the certificates.
answered Dec 17 at 9:05
Lithilion
1,1172415
that is correct, but I prefer to remove the certificates with the wrong subject and have my users with the corrected certificate.
– DaveIce
Dec 17 at 9:16
add a comment |
If you don't use the certificates at any service and they don't have a real purpose atm, I guess it would be the best to revoke the issuing intermediate CA and create a new one issuing the right certificates.
This would be the most maintainable way to revoke all the certificates and your CRL would not get bloated before you even start using the certificates.
answered Dec 17 at 9:05
Lithilion
1,1172415
If you don't use the certificates at any service and they don't have a real purpose atm, I guess it would be the best to revoke the issuing intermediate CA and create a new one issuing the right certificates.
This would be the most maintainable way to revoke all the certificates and your CRL would not get bloated before you even start using the certificates.
answered Dec 17 at 9:05
Lithilion
1,1172415
answered Dec 17 at 9:05
Lithilion
1,1172415
answered Dec 17 at 9:05
Lithilion
1,1172415
answered Dec 17 at 9:05
Lithilion
1,1172415
1,1172415
that is correct, but I prefer to remove the certificates with the wrong subject and have my users with the corrected certificate.
– DaveIce
Dec 17 at 9:16
add a comment |
that is correct, but I prefer to remove the certificates with the wrong subject and have my users with the corrected certificate.
– DaveIce
Dec 17 at 9:16
that is correct, but I prefer to remove the certificates with the wrong subject and have my users with the corrected certificate.
– DaveIce
Dec 17 at 9:16
that is correct, but I prefer to remove the certificates with the wrong subject and have my users with the corrected certificate.
– DaveIce
Dec 17 at 9:16
add a comment |
I think I've found the answer:
right clicking the template with the new change, there is an option to "Reenroll All Certificate Holders". Once choosing that, the template version increases, so the next time the client verifies the certificate version against the template version on the CA - the client will re-enrolls.
I tested it with a restart of one of the laptops and the result was only 1 user certificate with the right Subject format.
note: i think for this option to show up, Auto-enrollment must be configured for the template.
answered Dec 17 at 11:08
DaveIce
515
add a comment |
I think I've found the answer:
right clicking the template with the new change, there is an option to "Reenroll All Certificate Holders". Once choosing that, the template version increases, so the next time the client verifies the certificate version against the template version on the CA - the client will re-enrolls.
I tested it with a restart of one of the laptops and the result was only 1 user certificate with the right Subject format.
note: i think for this option to show up, Auto-enrollment must be configured for the template.
answered Dec 17 at 11:08
DaveIce
515
add a comment |
I think I've found the answer:
right clicking the template with the new change, there is an option to "Reenroll All Certificate Holders". Once choosing that, the template version increases, so the next time the client verifies the certificate version against the template version on the CA - the client will re-enrolls.
I tested it with a restart of one of the laptops and the result was only 1 user certificate with the right Subject format.
note: i think for this option to show up, Auto-enrollment must be configured for the template.
answered Dec 17 at 11:08
DaveIce
515
I think I've found the answer:
right clicking the template with the new change, there is an option to "Reenroll All Certificate Holders". Once choosing that, the template version increases, so the next time the client verifies the certificate version against the template version on the CA - the client will re-enrolls.
I tested it with a restart of one of the laptops and the result was only 1 user certificate with the right Subject format.
note: i think for this option to show up, Auto-enrollment must be configured for the template.
answered Dec 17 at 11:08
DaveIce
515
edited Dec 17 at 11:15
answered Dec 17 at 11:08
DaveIce
515
answered Dec 17 at 11:08
DaveIce
515
answered Dec 17 at 11:08
DaveIce
515
515
add a comment |
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f199893%2fwhat-is-the-best-way-to-reissue-user-certificates-after-configuration-change-in%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
