Domain Controller autoenrollment - changing issuing CA

Question

We are cleaning up our Windows PKI/CA environment and replacing our root CA with a new server. The current root CA has been issuing the following certificate templates for years now (in addition to the Subordinate certificate template):

• Kerberos Authentication
• Domain Controller Authentication (we know this is superseded now by the Kerberos Authentication template)
• Domain Controller (we know this is superseded now)
• Directory Email Replication

The subordinate CA also has the templates "issued".

We know that this isn't ideal, and the new root CA will be set to only issue the subordinate certificate template.

THE QUESTION:

After removing the templates above from being issued by the root CA (NOT deleting the template itself, just removing it from being issued from that root CA), when the domain controllers automatically renew those certificates above, will they know to look at the subordinate CA for the renewal/issuance of a new certificate based on those templates required for a domain controller? Or is there something else we need to do to proactively issue new certificates to the DC's in the environment? The existing certificates won't be revoked so they'll be valid until re-enrollment happens, but we are curious if re-enrollment will fail if the original certs were issued by the old root CA. We aren't sure how DC's "decide" which CA to pick from if more than one CA is allowed to issue these DC templates.

Additional Add-On Question:

Do you know what affect existing certs will have that were issued from the existing SubCA after we replace the rootCA? We are migrating the rootCA to a new name per: Step-By-Step Migrating CA to new server -- others in the comments asked basically the same question I'm asking about existing certs but with no reply. My guess is that as long as the client still has the old RootCA in their Trusted Root Store and the SubCA in the Intermediate Store, they should still have a good cert chain until the cert expires, but I'd like to know for sure ahead of time.

Answer 1

when the domain controllers automatically renew those certificates above, will they know to look at the subordinate CA for the renewal/issuance of a new certificate based on those templates required for a domain controller?

yes. Enrollment clients will enumerate all CAs that support requested template from AD first. Then client will choose random CA from this list to send renewal request. That is, removing all templates from root CA is fine, clients will attempt another available CA that supports this template.

p.s. though I would consider to convert Enterprise Root CA (domain-joined) to Standalone Root CA (workgroup member) so you can turn off root CA for most of time because it has nothing to do online. You would turn on it once or twice a year to publish the CRL or when you need to sign subordinate CA certificate. But it is another question, just a good way to follow best practices.

Update 1 (21.01.2022)

Microsoft Docs pages don't show anything about how it enumerates the CAs, etc.

Enrollment client calls generic IX509Enrollment::Enroll which performs a series of calls (very simplified steps):

CA discovery using [MS-XCEP]

1. Load a list of policies from registry.
2. Group policies by PolicyId attribute.
3. Groups are sorted by Cost attribute, then by Authentication attribute. Kerberos authentication has higher precedence. The rest groups are placed in arbitrary order.
4. Query each policy by calling IPolicy::GetPoliciesResponse web method. Response contains a list of CA web services
5. Response contains: a list of certificate templates the caller has permissions to enroll and a list of CA endpoints (that implement [MS-WSTEP] protocol) with the information about supported certificate templates.
6. prepare empty list.
7. for each sorted policy group:
8. order CAs by Cost attribute, then by Authentication attribute. Kerberos authentication has higher precedence. The rest groups are placed in arbitrary order. Eliminate CAs the caller has no permissions on. Append ordered CAs to the list in same order.
9. repeat (8) until all CAs are added to the list.
10. for each CA in remaining list:
11. generate certificate request and call ICertRequest::Submit to submit request to selected CA.
12. repeat (11) until the call succeeds.

CA discovery using [MS-WCCE]

1. do do-while loop call of ICertConfig::Next to enumerate all autodiscovered CAs (local, registered in AD, stored in shared directory, etc.). This will produce a list of all possible CAs.
2. For each CA client makes a ICertRequest2::GetCAProperty call with CR_PROP_TEMPLATES as a propID parameter. Eliminate offline CAs.
3. Filter list obtained in (1) to eliminate CAs that does not support requested template.
4. if CA site awareness is configured, filter list of CAs that are in same ADDS site as client. Do not filter if CA site awareness is not configured or there is no CAs in same ADDS site where client resides.
5. Call ICertRequest::GetCACertificate to retrieve CA certificate and validate each. Eliminate CAs with invalid or untrusted certificate.
6. pick arbitrary CA from remaining list, generate certificate request and call ICertRequest::Submit to submit request to selected CA.

Again, it is a simplified task sequence for enrollment client to discover CAs and submit certificate request.

Update 2

Do you know what affect existing certs will have that were issued from the existing SubCA after we replace the rootCA?

literally nothing as long as root CA is trusted by clients.