I recently removed our old CA, following a KB article on how to decomission a CA. I then followed this guide to build a two-tier PKI hierarchy (1 offline root CA, 1 subordinate CA): http://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx
All PKI health seems to be OK and all CRL/AIA's have been published by managing the CA.
On the old CA infrastructure, users were able to authenticate with their credentials. This new system does not seem to work. I created an IAS/RAS certificate template and issued it to the NPS server. I then created a workstation client/server auth ceritificate and issued it to a test machine but that did not work either.
It's good to note that iPhone users are able to authenticate without issue. This only occurs on domain machines. HOWEVER, when the iPhone authenticates, it has to accept a certificate from our OLD CA...even though I could have sworn I removed all remnants of our old CA. Now I am trying to make sure that our new CA can handle these requests...but this cannot be done without the right templates ... please correct me if I am wrong...
I dug around our GP and noticed that under our Computer Configuration, auto-enrollment is NOT enabled. However, under another OU, the User Configuration has auto-enrollment enabled. I'm not too sure if its better to have this setting enabled on the computer config or the user configuration. Not sure if this was setup before my time but something does not seem right.
Can somebody please help me with creating the right certificate templates that I could deploy to the server and client machines. Or possibly give me a better understanding of how this should all be set up. All help is appreciated!