Hello Kumar Anup,
I’m following up to check whether the issue has been resolved. Feel free to reply if you need further information. If the information provided was helpful, please click "Accept Answer" to help others in the community. Thank you!
upgrade enterprise CA server from 2016 OS to 2025 OS
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 10%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKA%3C/text%3E%3C/svg%3E)
Kumar Anup
0
Reputation points
Will there be any change in user certificate being used for Citrix FAS solution if we upgrade enterprise CA server from 2016 OS to 2025 OS, as I read somewhere that user certificate subject DN was missing from 2025
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
3 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 86%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJN%3C/text%3E%3C/svg%3E)
Jason Nguyen Tran 19,865 Reputation points Independent Advisor2026-05-29T04:32:30.29+00:00 -
Jason Nguyen Tran 19,865 Reputation points Independent Advisor
2026-05-26T10:58:29.3066667+00:00 Hello Kumar Anup,
Upgrading an Enterprise CA from Windows Server 2016 to Windows Server 2025 does not fundamentally change the way user certificates are issued for Citrix FAS. The certificate templates and issuance process remain consistent, so existing user certificates should continue to function as expected.
That said, you are correct that there have been reports of differences in how subject DN attributes are displayed in newer versions of Windows Server. In practice, this does not break Citrix FAS, but it’s always a good idea to validate your certificate templates after the upgrade. Specifically, check that the subject name and SAN fields are populated correctly, and confirm that the template permissions are intact.
Before performing the upgrade, I recommend exporting your CA configuration and templates, then re‑importing them after the OS upgrade to ensure consistency. It’s also wise to test the issuance of a few user certificates in a staging environment before rolling out the upgrade in production.
I hope the response provided some helpful insight. If you find this answer useful, please hit “accept answer” so I know it addressed your concern.
Jason
-
AI answer
2026-05-26T09:57:32.75+00:00 Upgrading an Enterprise CA from Windows Server 2016 to Windows Server 2025 does not by itself remove the subject DN from existing user certificates or from templates. Existing certificates remain valid, and renewal is not automatically required after the CA OS is updated.
For certificate-based authentication changes on domain controllers (KB5014754), the key impact is the new ObjectSID extension used for strong certificate mappings (PKINIT). The CA can operate in Compatibility mode so that existing certificates continue to work. If strong mapping using the ObjectSID extension is required, new certificates must be issued; otherwise, existing certificates can continue to be used.
The example in KB5014754 shows that template behavior (including extensions) can be controlled explicitly with
certutiland template flags. If the Citrix FAS solution depends on specific subject DN content, ensure that:- The user certificate template used by FAS is not modified to remove or change the subject DN format during or after the CA upgrade.
- Any changes related to the new ObjectSID extension or strong mapping are validated in a test environment with FAS before enabling Enforcement mode on domain controllers.
KB5014754 also clarifies that renewal is only needed if strong mapping via the ObjectSID extension is desired; otherwise, existing certificates continue to function in Compatibility mode. This aligns with keeping current FAS-issued user certificates working after the CA OS upgrade, provided template configuration is preserved.
References:
AI-generated content may be incorrect. Read our transparency notes for more information.