I'm in the process of retiring our old Certificate Authority and need to make sure all endpoints get new computer authentication certificates from the new CA. The problem is that the template is set to not re-enroll unless the certificate is expiring, which means it could take a while for all devices to get updated. I'm looking for an effective script or method to request new certificates with a specific name/template, so I don't have to rely on manual processes. Any suggestions?
3 Answers
A good approach is to create a new certificate template and deploy it while stopping the issuance of the old one. This way, devices will grab the new cert without waiting for the old ones to expire.
So, just a new template called something like 'Computer Authentication 2' with auto enrollment enabled? Sounds like a solid plan!
You might also want to consider cross-signing the old CA's roots with the new CA for a period (like 365 days) to make sure everything transitions smoothly.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures