We just setup a root CA in our environment and need to be able to edit the Computer template so that it creates certificates for the computers with the computers netbios name in the subject or apart of the SAN. Does anyone know how to do this?

Hello, i suggest to use the Security forum instead this one: http://social.technet.microsoft.com/Forums/en/winserversecurity/threadsBest regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

So you want me to duplicate this post in another thread? Isn't that frowned upon?

Hello, there is no problem in creating the thread in the other forum, just add the link to this one. Of course we can wait until a moderator willmaybe move it.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Ok, it's moved. So can anyone help me with this?

This is not possible by using standard tools, because certificate template SAN extension property don't allow to automatically include subject NetBIOS name.http://en-us.sysadmins.lv

What about putting the netbios name in the subject and putting the DNS name in the SAN? Is that possible?

yes, but obviously this wouldn't work. Because if SAN extension is present, Subject field is ignored. Therefore it is necessary to place both DNSName and NetBIOS name in SAN extension.http://en-us.sysadmins.lv

I am not aware of this, is that stated in a standard somewhere that if SAN is present Subject is ignored? I was under the impression that it extends other possible usable Subjects, not replaces it.

in some ways extend. But it is not possible to use both extensions (though Subject field is not extension, but certificate property) for authentication.http://en-us.sysadmins.lv

Still need proof that your statement is true. RFC point of reference would be good.

RFC don't specify exact processing rules when both Subject field and SAN extension are present. However de-facto rule is that: if only Subject field is present, it is used for entity identification. if both Subject field and SAN extensions are present, SAN is used for entity identification (example implementation: http://www.digicert.com/subject-alternative-name-compatibility.htm ) if only SAN extension is present, it is used for entity identification. In this case SAN extension is marked as critical (marked with yellow triangle in certificate view) and Subject field must be empty. Another example is user authentication certificate. This certificate contains SAN extension with entity UPN (User Principal Name) and Subject field with user's DN name. Domain controllers ignores Subject field and uses only UPN from SAN extension.http://en-us.sysadmins.lv