We recently got bit by a certificate that was somehow issued by the CA, but does not show up in the issued certs list.
The short version of the story is we had an old 2003 standalone CA that we believed wasn't in use. We checked the issued cert on the server and determined that they had all expired. I followed Microsoft's page on how to remove a CA. In that process it removed the issuing CA cert if it was located in the intermediate store. Suddenly stuff broke and it was because there were certs that were requested that did not show up in the issued certs, but still relied on the issuing CA cert.
The cert itself relied on the issuing CA that we decom. It also has no template listed - it's blank. I always thought you had to have a template. This cert was requested so many years ago the resources that requested it have moved on. the CA has been deleted so we cannot go back and look at it.
We are being forced to look into root cause and it has prompted a few questions:
Does anyone know a process to request a cert with no template?
Is that process a supported method for certificates?
Is there a way to get a cert that is issued by a CA, but doesn't show up on the CA as an issued cert?
Thanks for your help!