Hi,
We are going to deploy a new computer certificate to all workstations and laptops.
At the same time we are changing SubCA to a new one and eventually decommissioning the old one so we have certificates in place today but only on those that need it, it is deploying via an AD group membership.
Also thinking of deploying a computer certificate to all servers.
I have a few questions on the above.
1, I have created a computer certificate template with the below settings on the NEW SubCA.
We are thinking of deploying this computer certificate to all client machines instead of before only deploying it to those clients which use it for WiFi and VPN.
Any downside of this or this is only positive?
-Validity period: 2 years
-Renewal period: 12 weeks
-Purpose: Signature and encryption
-Minimum key size: 2048
-Subject name format: None
-Include this information in alternative subject name: DNS name
-Extensions -- Application Policies -- Client Authentication
-Minimum Supported CAs: Windows Server 2003 Enterprise
A setting I´m not sure about is the "Subject name format", should something be specified in this? What is best practice? Any other recommendations to think about?
2, Computer certificate for servers
I was thinking of using the same settings as above but also using Server Authentication along with Client Authentication for Application Policies.
Also same question as above "Subject name format", any setting I should use?
3, Deploying the certificates to all client computers
Should I deploy it to Domain Computers but this would include servers also or?
Regards
Niklas