Some notes from work
if an Certificate Template has enabled Publish certificate in Active directory it will publish the certificate in an attribute on the user object. This usally is not requiered to do and it might cause some problems. To find what account that has certificate published to their user object run following oneliner.
It is vital that CRL is fresh and available otherwise your PKI is not healthy. Often i hear that Customer create a reminder in ther calender. Even that kind of effort the PKI outage is quite common, and reson is CRL that have exiperd. I stumbled over this tool get-crlfreshness. This powershell cmdlet in short… Continue Reading Monitor CRL refreshness
When creating a CSR from example DMZ servers information on what template that will be used is not include. Therfore you have to specify that in signing of CSR.
I did experience some odd thing when I run tests for new template for a customer. The template is straight forward a Workstation Authentication template with machine-template as superseded.
All seems fine, machine template were removed and the new certificate was issued. But after a reboot of the client a new certificate was issued. So the client now got two issued certificate from Workstation Authentication template. After enabling debug on client I found this event:
Source:Â CertificateServicesClient-CertEnroll
EventID: 35
General: Certificate enrollment for Local system detected that the DNS name in the TEMPLATENAME certificate does not match the DNS name of the local computer. A new enrollment for a TEMPLATENAME certificate will be attempted in 24 hours.
The problem was that the client that was given to me had an _ in hostname. That character is not supported in DNS names. More information is described in this article https://support.microsoft.com/en-us/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and.