Custom Subject Relative Distinguished Names in the Certificate Subject?

Hi,

According to: https://technet.microsoft.com/en-us/library/cc772812%28WS.10%29.aspx,

the following relative distinguished names elements are allowed in the subject of certificates in a version 2 template:
  • COUNTRY_NAME "2.5.4.6"  "Country"
  • ORGANIZATION_NAME "2.5.4.10"    "OrganizationalUnit"
  • ORGANIZATIONAL_UNIT_NAME "2.5.4.11"     "Organization"
  • COMMON_NAME "2.5.4.3"   "CommonName"
  • LOCALITY_NAME "2.5.4.7" "Locality"
  • STATE_OR_PROVINCE_NAME "2.5.4.8"        "State"
  • TITLE "2.5.4.12"        "Title"
  • GIVEN_NAME "2.5.4.42"   "GivenName"
  • INITIALS "2.5.4.43"     "Initials"
  • SUR_NAME "2.5.4.4"      "SurName"
  • DOMAIN_COMPONENT "0.9.2342.19200300.100.1.25"   "DomainComponent"
  • RSA_emailAddr "1.2.840.113549.1.9.1"    "EMail"
  • STREET_ADDRESS "2.5.4.9"        "StreetAddress"
  • RSA_unstructName "1.2.840.113549.1.9.2" "UnstructuredName"
  • RSA_unstructAddr "1.2.840.113549.1.9.8" "UnstructuredAddress"
  • DEVICE_SERIAL_NUMBER "2.5.4.5"  "DeviceSerialNumber"

We have a requirement to include the 'UID' attribute in the subject of certificates.

Can this be achieved with the later v3 or v4 certificate version templates?

Thank you,

SK



  • Edited by Shim Kwan Tuesday, April 28, 2015 1:52 AM
April 28th, 2015 1:20am

So both Brian & Vadims state that there is a way of doing this.

Is this something that can be done out-of-the-box or did you need to write some code to get it to work?

Free Windows Admin Tool Kit Click here and download it now
April 28th, 2015 9:31pm

My method requires custom code... You need to purchase FIM CM server and licensing to deploy the custom policy modules.

Brian

April 30th, 2015 12:57am

Though, there is a method:

certutil setreg CA\CRLFlags +CRLF_REBUILD_MODIFIED_SUBJECT_ONLY
net stop certsvc
net start certsvc

NOTE: when this flag is enabled, then CA do not check distinguished name in the subject for validity and leaves as is. This means that any certificate request passed to CA server must be manually approved as it will allow to pass arbitrary name and possibly impersonate another entity. And certificate template must be configured to accept subject from request. This means that you loose autoenrollment functionality. Therefore you still may consider Brian's suggestion and purchase FIM CM.

Free Windows Admin Tool Kit Click here and download it now
April 30th, 2015 3:50am
thank you both
April 30th, 2015 10:14pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics