Basics: Replacing (Superseding) Certificate Templates

With the introduction of version 2 certificate templates along with Windows XP and Windows Server 2003, the option was introduced for a certificate template to replace one or more others.

This makes it possible to replace issued certificates with those of another certificate template, or to consolidate multiple certificate templates into a single one.

This mechanism only works for certificates that are either manually or automatically via autoenrollment be applied for.

The configuration of which certificate templates are superseded is configured in the Superseded Templates tab of the new certificate template.

The moment the autoenrollment process receives a certificate of the new certificate template, certificates of replaced certificate templates are archived, i.e. they are still available on the client, but are no longer offered for selection.

On the client the Event with ID 10 of source Microsoft-Windows-CertificateServicesClient-CertEnroll logged.

It is also possible to set that replaced certificates are deleted from the local certificate store. This setting is made in the Request Handling tab of the replace certificate template, but is only possible if the Purpose is set to Signature.

If a deletion is configured not the private key of the certificate is deleted.

Questions and answers about Superseding

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

Is the request for a certificate immediate or only after 80% of the certificate validity from the replaced certificate template has expired?

Unlike the renewal of a certificate from the same certificate template, the request for a certificate from the new certificate template does not take place Only after 80% of the certificate validity has expired. of the replaced certificate template, but immediately (i.e. as soon as a client successfully logs on to Active Directory and the autoenrollment process is triggered).

Does the replaced certificate template still need to be published?

No. It does not have to be published any further. Provided that all users are authorized to apply for a certificate on the new certificate template, however, no Certificate Enrollment will be made against the replaced certificate template, even if it is still published on a certification authority.

If I am not entitled to the new certificate template, do I get another certificate from the replaced certificate template?

Yes, provided that the replaced certificate template was still published on a certificate authority.

Are certificates of a replaced certificate template also deleted from the user account (UserCertificate) attribute?

No, such deletion must be implemented away from the PKI mechanisms.

Related links:

External sources

en_USEnglish