MSCA: How to add Organizational Unit to a certificate (Network Steve Forum)

MSCA: How to add Organizational Unit to a certificate

Hi there, is there a way to specify a particular OU when singing a CSR through the certsrv website? There may be a command for the "Attributes" field, like you can use for SAN. The initial problem is, that I am receiving a couple of CSRs with different OUs defined. Those CSRs are signed through the certsrv website. Now, I would like to have all of them "connected" to one and the same OU. Regards, HansenCh

May 17th, 2011 9:43am

Can you be more specific about what you are trying to achieve? How do you want to link the OU ?Sumesh P - Microsoft Online Community Support

Free Windows Admin Tool Kit Click here and download it now

May 23rd, 2011 4:58am

Can you be more specific about what you are trying to achieve? How do you want to link the OU ? Sumesh P - Microsoft Online Community Support Assuming the following: - I receive a CSR file - I open the certsrv website and navigate to submit the CSR - I paste the CSR and choose a certificate template Now the certificate will be issued an the information that is included in the CSR file will be written into the certificate (location, organizational unit ...). My goal now is that a "fixed" OU will also be put into the certificate. This way a third party software could be able to query the certificate for this particular "fixed" OU. Hope, it is now a little bit easier to read.

May 23rd, 2011 9:02am

This can be achieved, but would be lot of work for each request (you might be able to script it out) On the CA server, first do the following (this need to be done once for each CA in the environment which would be issuing certificates) o Run the command, certutil -setreg ca\CRLFlags +CRLF_ALLOW_REQUEST_ATTRIBUTE_SUBJECT o Restart CA service Then, submit the CSR to the CA using the web interface. Make sure that it goes in pending state, and is not automatically issued. Next; on the CA, use the certutil command to modify the Subject Name in the pending request Certutil -setattributes <RequestID> AttributeString Example: Certutil -setattributes 12121 “CertificateTemplate:User” Here is a KB with reference on how to do it using the web interface (for SAN)… http://support.microsoft.com/kb/931351 Sumesh P - Microsoft Online Community Support

Free Windows Admin Tool Kit Click here and download it now

May 23rd, 2011 12:25pm

This topic is archived. No further replies will be accepted.