Wednesday, December 21, 2016

Certificate Template Versions and Autoenrollment

Certificate templates for Active Directory Certificate Services (AD CS) have multiple values related to versioning. In the Certificate Templates console, you can see two versioning attributes:
  • Schema Version - This defines the options available in a Certificate Template. If you search for information about certificate template versions (such as https://technet.microsoft.com/en-us/library/cc725838(v=ws.11).aspx), the reference to different versions is the schema version. These schema versions are consisten across Windows servers.
  • Version - This number is unique for your AD CS implementation. When you modify the template, this version number is incremented.
Byron Web Server template: Schema Version 2, Version 100.3

The version number for your certificate templates is composed of a major version number and a minor version number. In this example:
  • Major version: 100
  • Minor version: 3

When you make any edit to a certificate template, the minor version number is incremented. Even minor edits such as changing the security configuration for the certificate template increment the minor version number. This number is primarily for your own auditing purposes to identify that a change has been made. Incrementing the minor version number has no immediate impact on clients using autoenrollment.

When you right-click a certificate template and select Reenroll All Certificate Holders, the major version number is incremented and minor version number is reset to zero. Clients using autoenrollment see that major version has been incremented and renew their certificate using the updated certificate template.

If you use ADSIedit to view the properties of a certificate template, you can see the major and minor version numbers stored as the following attributes:
  • revision
  • msPKI-Template-Minor-Revision

If you manually edit the revision attribute and increment the value, it will trigger an update for autoenrollment clients just as if you had selected the Reenroll All Certificate Holders option in the Certificate Templates Console.

On the client side, autoenrollment is triggered by a scheduled tasks in \Task Scheduler Library\Microsoft\Windows\CertificateServiceClient. The triggers for enrollement are:
  • SystemTask (for computer certificates): At startup, repeat every 8 hours
  • UserTask (for user certificates): At sign in, repeat every 8 hours

If you are testing, you can manually run these tasks rather than restarting the computer or signing out and signing back in.

1 comment: