WIndows 2012 R2 Certificate Services
I am setting up a new SubCA in our environment which has been install and setup according. When setting up the new CA the server will automatically published a handful to templates: Computer, Kerbose Authentication, Domain Controller Authentication etc.. When I was setting up the CA and before I removed some of the default published templates a workstation was issued the Domain Controller Authentication and Kerbose Authentication templates. From a security point of via is this a bad thing and should I revoke the certs. Why is the version 1 computer template automatically published by default with the client / server key usage?
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Better to understand that there are different version templates and version 1 cannot be removed. They are defsult to give you what is required. You can focused on the limited access to users if you wanted oversight or have concern on who can enrolled them.
Version 1 certificate templates support general certificate needs and provide compatibility with clients and issuing CAs running Windows 2000 operating systems. Version 1 templates are installed by default during CA setup and cannot be deleted.
The only property that can be modified on a version 1 template is the set of assigned permissions that controls access to the template.
Compared to V1, the V2 certificate templates were introduced in Windows Server 2003 and can be configured by an administrator to control the way certificates are requested, issued, and used. These templates provide support for certificate autoenrollment. In addition to V2 template features and autoenrollment, V3 certificate templates provide support for Suite B cryptographic algorithms. These algorithms were created by the U.S. NSA to specify cryptographic algorithms that must be used by U.S. government agencies to secure confidential information.
Version 1 certificate templates support general certificate needs and provide compatibility with clients and issuing CAs running Windows 2000 operating systems. Version 1 templates are installed by default during CA setup and cannot be deleted.
The only property that can be modified on a version 1 template is the set of assigned permissions that controls access to the template.
Compared to V1, the V2 certificate templates were introduced in Windows Server 2003 and can be configured by an administrator to control the way certificates are requested, issued, and used. These templates provide support for certificate autoenrollment. In addition to V2 template features and autoenrollment, V3 certificate templates provide support for Suite B cryptographic algorithms. These algorithms were created by the U.S. NSA to specify cryptographic algorithms that must be used by U.S. government agencies to secure confidential information.
Thank you for your feedback.
DO or should all servers / workstations have the computer cert what is for client / server authentication or is it best to create a new one that is version 2.
What about my two workstations that grabbed a cert for Domain Controller authentication and kerbose authentication and am concerned about this. Should I revoke them?
DO or should all servers / workstations have the computer cert what is for client / server authentication or is it best to create a new one that is version 2.
What about my two workstations that grabbed a cert for Domain Controller authentication and kerbose authentication and am concerned about this. Should I revoke them?
All domain joined should have machine cert. It is represented in AD. The client/Server authentication usage is to meant the certificate can be used for user or machine when certain checks on the identity is needed. Like login, NAC, SSL etc..the autoenrollment (V2) will be preferred.
Kerberos Authentication and Domain Controller Authentication (v2) are both used to authenticate Active Directory computers and users. It should be fine.
For a better understanding of various template, I suggest you can reference to the list of default template purpose.
https://technet.microsoft.com/en-us/library/cc755033(v=ws.10).aspx
Kerberos Authentication and Domain Controller Authentication (v2) are both used to authenticate Active Directory computers and users. It should be fine.
For a better understanding of various template, I suggest you can reference to the list of default template purpose.
https://technet.microsoft.com/en-us/library/cc755033(v=ws.10).aspx
Thank you very much. Should I recreated the default Computer template so it is a version 2 since version 1's cannot be auto enrolled?
Yes you can. By default, V1 for such authentication is not in AD so you can create one based on it and publish into AD, so all computer in the domain can autoenroll based on that new template. Pls see below and should be applicable to Win2012 too.
https://technet.microsoft.com/en-us/library/cc731242(v=ws.10).aspx
Furthermore if you need to supercede existing template that has been issued to follow the new template, you can look at this https://technet.microsoft.com/en-us/library/cc753044(v=ws.10).aspx
https://technet.microsoft.com/en-us/library/cc731242(v=ws.10).aspx
Furthermore if you need to supercede existing template that has been issued to follow the new template, you can look at this https://technet.microsoft.com/en-us/library/cc753044(v=ws.10).aspx
Premium Content
You need an Expert Office subscription to comment.Start Free Trial