Certificate template assignment to enterprise CAs in the forest #3
Description
Your .psm1 file contains the following code that assigns imported/generated certificate template to all enterprise CAs in the forest:
#region ISSUE
If ($Publish) {
### WARNING: Issues on all available CAs. Test in your environment.
$EnrollmentPath = "CN=Enrollment Services,CN=Public Key Services,CN=Services,$ConfigNC"
$CAs = Get-ADObject -SearchBase $EnrollmentPath -SearchScope OneLevel -Filter * -Server $Server
ForEach ($CA in $CAs) {
Set-ADObject -Identity $CA.DistinguishedName -Add @{certificateTemplates=$DisplayName} -Server $Server
}
}
#endregion
This code part should be removed from *.psm1 file. There is compatibility dependency for certificate template based on CA version. Reasons are:
Not all certificate templates are supported by all CAs in the forest. For example, Windows Server 2003 Standard Edition and Windows Server 2008 Standard Edition CAs support V1 version templates only. Windows Server 2003 Enterprise and Datacenter Editions support only V1 and V2 templates. Windows Server 2008 Enterprise and Datacenter editions support V1, V2 and V3 templates only. Windows Server 2008 R2-based CAs (any edition) support V1, V2 and V3 certificate templates. Only Windows Server 2012-based CAs do support V1-V4 templates by default. This means that you have to make either conditional version checking to add certificate templates or remove the code completely. It is a bit complicated stuff, so I think it is better to remove this part completely.
Template version is determined by SchemaVersion attribute.