I recently created a certificate for a developer using a certificate template. The template was based from an existing one which I believe is based on CNG.I was able to export the private key, but the developer said that it needed to be CSP.
After some research, I am led to believe that if I were to base a new template from the code signing default template then that should be the right thing.
This is for an app registration in Azure and the developer is making a powershell script that will import the private key. From what I understand I will be able to import the certificate once it is published into the certificate store and then export the .PKS and the .CER. The cer to upload to the app registration and the PKS for the powershell script.
Please can someone advise me if this will work okay and if not please let me know or point me in the direction of what I should be doing. I am not that experienced with this and I am nervous about creating these on the company network and making a mess of the certificate templates. There is already the previous one which will need to be deleted.
What is the effect of deleting a template? My understanding is that it just removes the template and any certificates based on it are okay as it is only a template and the thing that matters the most is the actual certificate that is issued. Is that a correct interpretation?
It is OK and suffucient to duplicate default Code Signing template and configure Legacy CSP in Cryptography tab.
As a side note: I suspect that your developer uses some very legacy script that requires 20+ years old API which can be problematic in long term support and security. CNG is a recommended approach for every new tool. I would strongly advise your developer to revisit his script and consider modern crypto support which includes stronger crypto, new algorithms and easier in long term support.
On the last part: Deleting the template from the Certificate Templates container on the CA, i.e. removing it from Certificate Templates to issue, is fine, as there's still a master copy somewhere.
It's a good idea not to delete certificates from the master set stored in AD (In CertSrv console, right-click Certificate Templates, Manage Templates), as it makes interpretation of what that certificate was harder later, for eg when querying the database, if the Template information is gone, you start needing to infer what it was for. Easier just to retain the template in that shared Forest-level set and unpublish it from any CAs.