I am in the process of setting up a new PKI with a new offline root CA and one enterprise sub ca.  I haven't finished configuring it and have not set up any custom templates yet or set up any group policies for autorenrollment or issuing certificates from the server.

Our old PKI is still running.  We plan to decommission it and migrate everything to the new PKI next week.

I looked in the MMC of the new CA and see that there is already one certificate issued for EFS for one user.

How can I stop this new CA from automatically issuing any more certificates before the configuration is complete?

I would also like to stop the old CA from issuing new certificates so there is less to migrate next week.

This is a new PKI; the keys from the old server are not moving over to new servers.

• Edited by MyGposts Thursday, May 21, 2015 8:45 PM

When you installed, the CAPolicy.inf should have had the line

loadDefaultTemplates=0

Since you did not includes this line, go to the Certification Authority console

In the Certificate Templates container, delete the default list of certificate templates

Go to issued certificates, and then revoke all issued certificates

Brian

• Proposed as answer by Brian Komar [MVP]MVP Friday, May 22, 2015 1:32 AM

I did not use any inf file.  I configured all of it using the GUI.

There was only one certificate issued.  I stopped the certificate service using the mmc as a temporary workaround until I can find out of to change this.

• Edited by MyGposts Friday, May 22, 2015 5:11 AM

If you didn't use an inf file during install, then the CA will automatically make certificate templates available. To stop this, you need to stop the CA from using those templates.

In the Certificate Authority management console, under node certificate templates you should see a number of templates. Remove the templates you do not wish to be available to users/computers by deleting them.

This will stop the CA from issuing certificates from being issued. This can be done while the CA is stopped although you will get an error message. The CA will get the updated information once you restart the service.

Do not that it is important that you use the Certificate Authority management console for doing this, do not use the Certificate Templates mmc snap-in! The first will stop the CA from issuing certificates but not delete the template from AD which is exactly what the latter will do. That is also a bad thing to do unless you know what you are doing.

It thought you were supposed to keep the default templates so you can make copies to work from.

The default template settings might be OK, but I just didn't want certificates to start being issued before I could look at all the settings and see if anything should be modified as well as finish the rest of the CA server configuration.

Can you add the policy inf file after the CA is already configured through the GUI or export the current settings into config file?

I wanted to check to verify there was still only one certificate issued, but I can't see the results unless I start the certificate services again, but I don't want more certificates to get issued when I start the service.

If I revoke the issued efs certificate, what happens to the user that received the certificate?  Will the user no longer be able to open files that where encrypted?

That's what I said, do not use the Certificate Templates MMC snap-in to delete the templates, that is a bad thing.

Use the Certificate Authority Management, click templates once and on the right hand side delete the templates. That will stop the CA from being able to issue certificates. Do NOT right-click templates and select "Manage" as that will get you to the Certificates Templates MMC.

Delete from Certificate Authority Management - good. Stops CA from issuing certificates based on the templates. See image below.

Delete from Certificate Templates MMC - bad. Deletes templates from AD.

Yes, the best way is to copy the templates that gets created when setting this up and issue those templates.

As Brian said, best way is to use a capolicy.inf file when installing the CA and having the line loadDefaultTemplates=0

I deleted all the certificate templates and then started the service again.

It was suggested that I revoke any certificates that were issued.

There was one certificate issued that said it was issued using Basic EFS template.  If I revoke this certificate, what happens to that user's files?  I don't know if the user is encrypting any files with EFS.

You need to find out with the user. If you revoke it and it is in use, you may cause problems.

You are now in a situation where the CA will not issue any more certificates.

If it was used, what are the steps to correct it?

If it was never used, what are the steps to correct it?

Why revoke it if I'm going to still issue certificates from the same server next week? If I let this one user keep using this certificate instead of revoking it, what happens?

Depends on what it was used for.

If it was never used, just revoke it.

If you follow the instructions I provided with my screenshot, you do not revoke any certificates [period].

What you do is that you stop the CA from issuing any more certificates, then you need to copy the needed templates and adjust the permissions so that the correct users/devices are able to get certificates and then issue those templates.