Table of Contents

How one can put custom defined RDNs in the certificates?

Custom RDNs are not supported by the Certification service. However it is still possible to use the RDNs from within the PKCS#10 request by configuring the certification profile as explained below:

  1. Go to Certification Service
  2. Add/Edit the Certification Profile
  3. In the " Distinguish Name Attributes" field, set the attribute "$PKCS10"
  4. Save/ Update the profile
  5. Restart the Certification Service 
  6. Send the certification request (PKCS#10) including the custom defined RDNs.

What is an External CA?

The term “External CA” refers to any CA whose private key does not reside on the ADSS Server.  A service URL is registered within ADSS Server so that certification requests can be sent to this CA. Any supported CA can be used and these can be operated internally. It can be a CA run by a managed certificate service provider, see Manage CAs > Configure External CA for more details.

How to configure a Microsoft CA with ADSS Server?

This section describes how business applications can register users, have ADSS Server generate keys and then have an external Microsoft CA certify these.

This section describes the steps required to configure the ADSS Server certification module (ADSS_MSCA) within the Internet Information Services (IIS) on the Windows 2003 CA server so that this CA can be used by ADSS Server Certification Service.

For installation and configuration of Windows 2003 Certification Authority (CA) itself, consult the separate ADSS – Microsoft CA 2003 Installation & Configuration Manual.

Microsoft .NET framework is needed to be installed on the target server in order to run the ADSS_MSCA module.

Configuration of ADSS_MSCA module in IIS:

The following steps are required to configure the ADSS_MSCA module with IIS:


Configuring ADSS_msca module to work with Windows 2003 CA Server:
The following steps are needed to use Windows 2003 CA server with ADSS Server and they are performed where the CA is installed:

The Windows 2003 CA server can be installed on the same machine where ADSS Server is running.

Make sure to change the policy module inside the Windows 2003 CA server to issue certificates automatically before any requests are sent by the ADSS Server. Restart the CA service if this setting is updated.

You will need to configure the ADSS certification policy to point to this web application running on IIS in order to ADSS Server to connect to the Windows 2003 CA server.  This is described in the ADSS Admin Manual.

 

How to use delta CRLs published by the Microsoft CA within ADSS Server?

With the default Microsoft CA configurations ADSS Server fails to download the delta CRLs as the delta CRL file name contains a + sign.  You can tune the Microsoft CA configurations so that it does not include the + sign in the delta CRL file names.  Follow these instructions to make required configurations in the MS CA:

As in the second address listed above, the fixed string "_DELTA" is used instead of the variable "<DeltaCRLAllowed>" to avoid inclusion of + sign in the CRL file name. 

How to configure a certification profile to override subject Distinguished name in the issued certificates?

ADSS Certification Service provides a flexible format for specifying the subject DName. It can be configured to use either a hard-coded subject DName for all user certificates or use the DName information requested by the client application in the certificate request message. Here are the examples on how to configure the subject DName value:

In a specific scenario if this is required to use the full subject distinguished name as it is provided in the certificate request (PKCS#10) then only provide the text "$pkcs10" in the "Distinguished Name Attributes" field.  This way even if some of the attributes coming in the PKCS#10 are not supported, these will be used as they are provided in the request.