There isn't much information on the how a CA goes about the "Publish a certificate in Active Directory" process.....in fact there is next to zero information at all! So, according to the documentation "A Microsoft certification authority (CA) can add certificates that have been issued to Active Directory subjects to the appropriate Active Directory object." How does the CA make the determination about which is the "appropriate Active Directory object" to publish the certificate to? For instance, if a certificate template is configured so that: the Subject Name option is set to "Supply in the request" the "Publish certificate in Active Directory" is set and the requestor is someone who holds an Enrollment Agent certificate. How would the CA determine which is the most appropriate Active Directory object to publish this too? What steps does it take? Is there any order of preference for identifying which AD object to publish it to? Thanks Cheers Phil

On Fri, 16 Sep 2011 00:53:58 +0000, Philip Richardson wrote: For instance, if a certificate template is configured so that: * the Subject Name option is set to "Supply in the request" * the "Publish certificate in Active Directory" is set * and the requestor is someone who holds an Enrollment Agent certificate. How would the CA determine which is the most appropriate Active Directory object to publish this too? What steps does it take? Is there any order of preference for identifying which AD object to publish it to? It really doesn't matter how the Subject name is generated or whom the requestor is, the CA will publish the certificate to the account that matches the Subject or the SAN. Publishing it to any other account simply doesn't make any sense. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca CChheecckk yyoouurr dduupplleexx sswwiittcchh..