Score:0

Windows Certificate Authority - Adding Additional Attributes

cn flag

In AD Certificate Templates the templates have an option to build from AD information and includes Email, DNS, UPN, etc.

enter image description here

When creating a CSR using powershell, openssl and the certificate mmc snap-in I know its possible to add additional attributes like State, City, Organization, Organization Unit, Locality and others. Is it possible to have this type of information pulled from AD so when servers are set to auto-enroll this kind of additional information is included in the cert?

I know additional information can be added to AD users/objects using Attribute Editor but I'm not sure if you can specify certificate templates to pull this information.

Thanks!

Score:1
uz flag

I've written a policy module in C#, find it here: https://github.com/Sleepw4lker/TameMyCerts.

The upcoming version will definitely include the feature you described for user accounts. Maybe I'll implement it for machine accounts as well.

Kind regards

Score:1
cn flag

Not with built-in functionality. You have to write a custom policy module by implementing ICertPolicy2 interface and then inside ICertPolicy::VerifyRequest call ICertServerPolicy::SetCertificateProperty to modify subject to include custom RDNs.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.