Skip to end of metadata
Go to start of metadata

Table of Contents

How one can put custom defined RDNs in the certificates?

Custom RDNs are not supported by the Certification service. However it is still possible to use the RDNs from within the PKCS#10 request by configuring the certification profile as explained below:

  1. Go to Certification Service
  2. Add/Edit the Certification Profile
  3. In the " Distinguish Name Attributes" field, set the attribute "$PKCS10"
  4. Save/ Update the profile
  5. Restart the Certification Service 
  6. Send the certification request (PKCS#10) including the custom defined RDNs.

What is an External CA?

The term “External CA” refers to any CA whose private key does not reside on the ADSS Server.  A service URL is registered within ADSS Server so that certification requests can be sent to this CA. Any supported CA can be used and these can be operated internally. It can be a CA run by a managed certificate service provider, see Manage CAs > Configure External CA for more details.

How to use delta CRLs published by the Microsoft CA within ADSS Server?

With the default Microsoft CA configurations ADSS Server fails to download the delta CRLs as the delta CRL file name contains a + sign.  You can tune the Microsoft CA configurations so that it does not include the + sign in the delta CRL file names.  Follow these instructions to make required configurations in the MS CA:

  • Go to the Start Menu > Control Panel > Administrative Tools and launch the Certification Authority
  • Right click on the CA certificate node and click on Properties
  • In the Properties dialog, go to the Extensions tab
  • For the CRL Distribution Point (CDP) extension, by default a CRL file publishing address is configured like this:
    • C:\WINDOWS\system32\CertSrv\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
  • By default the options to publish both the CRL and the delta CRL to this location are selected. Note the variable <DeltaCRLAllowed> is the reason why MS CA adds a + sign in the delta CRL file name while it doesn't add any such character in the full CRL file name. 
  • Remove this default address and add two separate addresses out of which one is for publishing the full CRL where the option to publish CRL to this location is selected. The other address is specifically for delta CRLs for which only the option to publish delta CRL to this location is selected.  The example addresses are listed below:
    • C:\WINDOWS\system32\CertSrv\CertEnroll\<CaName><CRLNameSuffix>.crl
    • C:\WINDOWS\system32\CertSrv\CertEnroll\<CaName><CRLNameSuffix>_DELTA.crl 
As in the second address listed above, the fixed string "_DELTA" is used instead of the variable "<DeltaCRLAllowed>" to avoid inclusion of + sign in the CRL file name. 
  • Apart from the CRL publishing path currently there is a default CRL Distribution Point configured for both the full and delta CRLs like this:
    • http://<ServerDNSName>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
  • This should also be removed and two new CRL addresses should be added likewise:
    • http://<ServerDNSName>/CertEnroll/<CaName><CRLNameSuffix>.crl (used as the CDP Extension within issued certificates) http://<ServerDNSName>/CertEnroll/<CaName><CRLNameSuffix>_DELTA.crl (used as Freshest CRL Extension within the issued CRLs)

How to configure a certification profile to override subject Distinguished name in the issued certificates?

ADSS Certification Service provides a flexible format for specifying the subject DName. It can be configured to use either a hard-coded subject DName for all user certificates or use the DName information requested by the client application in the certificate request message. Here are the examples on how to configure the subject DName value:

  •  If the DName value is configured as “CN=$CN, OU=$OU, O=$O, C=$C” this means that the values for CN, OU, O and C attributes will be taken from the ones provided in the request message sent by the client application. Suppose if there will be multiple OUs or other attributes in the request then all RDNs will be put in the certificate.
  • If the subject DName is configured as “CN=$CN, OU=$OU, O=Ascertia, C=GB, C=US” it means that values for the CN and OU attributes will be taken from the request message sent by the client application and values for O is fixed as "Ascertia"and C attribute is fixed as “GB” and "US". Other supported elements are Locality (L), State (S), Serial Number (Sr) and E-mail address (E).
In a specific scenario if this is required to use the full subject distinguished name as it is provided in the certificate request (PKCS#10) then only provide the text "$pkcs10" in the "Distinguished Name Attributes" field.  This way even if some of the attributes coming in the PKCS#10 are not supported, these will be used as they are provided in the request.
  • No labels