I recently followed a tutorial for creating a code-signing certificate (for SCUP 2011 third-party security updates) on our internal CA, and the documentation wasn't that great. After the fact, I realized that in the certificate template, I should not have allowed anything except for the code-signing server itself to "read and enroll." But the original template that I used had "read" for Authenticated Users, and "read and enroll" for Domain Computers (and even more rights for Domain Admins and Enterprise Admins.)
Now, by looking at our CA, I can see that the only machine that enrolled the original certificate template was the intended server. I have since adjusted the security tab on the certificate template, so that the next time I issue it, there should be no chance of an unintended machine enrolling a certificate for code-signing.
My question is, is the originally issued certificate "safe"? I have already signed a few security updates with said certificate, and added it to the Trusted Publishers store (with only the public-key version of the certificate) on the domain computers via GPO. It's working well, but I want to make sure that there is no potential security issue, since the original template allowed "read" to Authenticated Users, and "read and enroll" to Domain Computers.
I have a feeling that I'm probably safe, and the security tab in the certificate template is related to the original issuance/enrollment of the certificate, rather than the certificate's behavior after it's been distributed. But, I'd like to get some input from the security/certificate experts, as this is not my area of expertise.
Thanks in advance for your advice.