Missing subject field values in user certificate (Windows)

ad-certificate-servicescertificatecertificate-authority

I am trying to enroll (on behalf of) a user certificate but certain fields appear to be missing in the subject field. Specifically, O and OU.

Using ADSI, I see that the fields have the values I want but when I generate the certificate using Enroll on Behalf, certreq.exe, or certmgr.msc (run as different user) O does not appear at all and OU values are the AD containers the user account belongs to. This occurs despite my specifying the values in my .inf for certreq and setting the values in certificate properties when using certmgr.msc.

Am I missing something or could I have configured something wrong? I am using an in internal CA.

Best Answer

A bit late but might help someone else.

If you are requesting certs based on a template, the template would be configured how to generate a subject on the cert. Specifically it will be configured either to read the properties from AD or accept the value specified in the request.

This looks like its configured to read the properties from AD. Therefore, the content in the request (be it the .inf or properties of request when using certmgr) will be ignored.

If you want to use the properties in the request you need to edit the template to not use the values from AD but use the properties in the request instead.

Related Solutions

Custom Certificate Template is listed as unavailable

I managed to figure it out! Because my company does not use issuance policies, there was nothing for the certificate to resolve to. So, to fix this, I changed the template from using issuance policies to using application policies.

To do this, open the properties of the certificate template.

Click the "Issuance Requirements" tab.

In the "Policy type required in signature:" dropdown, select "Application policy".

Next, in the "Application policy:" dropdown, select "Certificate Request Agent". This gives you the permissions to use that template.

Simply import the template onto the CA and you're done.

Subject Alternative Name not added to certificate

I know this is old, but I've just figured it out myself and thought it might help someone else. I too have been unable to get CA to add the SAN via either the web page or the certreq ... -attrib "SAN:DNS=<FQDN>[&DNS=<FQND2>...]..." format. The SAN attribute was ignored, even though the certificate was issued.

However, I found that it works with this format: certreq -attrib "CertificateTemplate:WebServer\nSAN:DNS=<Name1>[&DNS=<name2>...][&IPAddress=<IP1>...]" <csr filename> <cer filename>

For example, if you have a certificate request file called HP_VC.csr and you want the subject alternative names to be vc1, vc2, vc1.domain.com, vc2.domain.com, 192.168.1.1, and 192.168.1.2 the command would be:

certreq -attrib "CertificateTemplate:WebServer\nSAN:DNS=vc1&DNS=vc2&DNS=vc1.domain.com&DNS=vc2.domain.com&IPAddress=192.168.1.1&IPAddress=192.168.1.2" HP_VC.csr HP_VC.cer

The certificate in HP_VC.cer will contain the SAN attribute.

I'm using this for HP Virtual Connect (VC) modules, Onboard Administrators (OA) and iLOs. It should work for any generic situation that needs a certificate with a SAN.

Best Answer

Related Solutions

Custom Certificate Template is listed as unavailable

Subject Alternative Name not added to certificate

Related Topic