I'm using a Windows Server 2008 R2 domain controller with Active Directory Certificate Services installed. It's configured as an Enterprise Root CA.
I have configured a custom certificate template so that I can generate extended validation SSL certificates from the CA.
In many of the EV SSL certificates, the following OIDs are specified in the "Subject" field of issued certificates:
2.5.4.15 = ORGANIZATION TYPE
1.3.6.1.4.1.311.60.2.1.2 = STATE
1.3.6.1.4.1.311.60.2.1.3 = COUNTRY
For example:
2.5.4.15 = Private Organization
1.3.6.1.4.1.311.60.2.1.2 = Arizona
1.3.6.1.4.1.311.60.2.1.3 = US
I'm trying to see if there is already a place for me to specify these custom OIDs and their values to be used when requesting the certificate through Active Directory from my CA.
I took a look at an EV SSL Hotmail certificate, and its certificate has the OIDs above in its Subject field:
(source: yffaz.org)
If I use the MMC certificate snap-in and select "local computer" and attempt to request a certificate using my custom certificate template using supplied values, I only see the following items, and none where I can specify an OID:
(source: yffaz.org)
Does anyone have an idea of how I might accomplish this?
Best Answer
The command-line
certreqtool will allow you to include arbitrary extensions (by OID) in your request but the tool is somewhat less than intuitive to use.