Windows ADCS Migration and Modernization
Below are the key highlights, Q&A from our PKI Solutions “Office Hours”: The Migration Edition
While our focus was on Windows Server 2012 R2 ADCS migration “common gotchas”, questions and concerns about this topic, and specifically how to align key, certificate infrastructure strategy with the cloud first approach, developer productivity and strategic business initiatives were all touched on.
Attendees had an opportunity to ask us anything within the webinar’s chat function.
Even attendees that thought they had 100% of their Windows Server 2012 R2 ADCS migration issues handled by the right staff with the right skillset found that there are OFTEN issues that slip through the cracks. We address some of those questions and concerns in the transcript below.
If you are facing challenges migrating your PKI and have issues with remote access, availability, scale, and management, we are here to help.
– Shawn Rabourn, CTO, PKI Solutions
– Mark B. Cooper, president and founder, PKI Solutions, aka The PKI Guy
Here are some of the questions that were asked during the webinar along with answers from PKI Solutions.
Expand Your PKI Visibility
Discover why seeing is securing with revolutionary PKI monitoring and alerting.
Learn More About PKI Spotlight®Below is the entire downloadable presentation: Windows Server 2012 R2 ADCS Migration Top 10 GOTCHAS!
Entire video is added to the bottom of this post.
The video playlist of top 10 GOTCHAS to go with the slides (for context), can be found here:
Windows ADCS Migration and Modernization Office Hours Snippet Q&A Transcript
We had two attendees ask similar questions:
Q: If you are using JAMF or Airwatch using DCOM, they are using offline templates that will not have the (OID) (1.3.6.1.4.1.311.25.2) making them a strong certificate for certificate based authentication on domain controllers. Do you have concerns that Microsoft will not back-off on this?
Q: Any thoughts or concerns about new certificate OIDs from KB5014754 (1.3.6.1.4.1.311.25.2)?
A: Anything that is using offline templates such as JAMF or Airwatch will not have the new OIDs (1.3.6.1.4.1.311.25.2) that Microsoft is using for authentication. In short this is going to cause massive problems. We have started to consult our clients on how best to address this issue. At this point, we don’t know if Microsoft is going to back out of this. We are exploring Policy Modules to help there and others in the industry are also looking at ways to address the implications of this change.
Q: My question is around the EOL and what specifically this impacts. The OS is clearly out of support; does that extend to the Compatibility Settings for the Certificate Authority or Certificate recipient within the templates themselves?
Summary:
- No EOL does not extend to the certificates or certificates in your environment.
- Need to make sure that the lifetime on the keys is valid
- Compatibility settings check for what features are enabled on a template but you could still be running the version 2 templates on a newer OS
The entire Windows ADCS Migration and Modernization Office Hours video can be seen here:
Mark B. Cooper
President & Founder at PKI Solutions, Leading PKI Cybersecurity Subject Matter Expert, Author, Speaker, Trainer, Microsoft Certified Master.
View All Posts by Mark B. Cooper