0

Windows Enterprise CA.

I have been requested that in the certificates appear the following attributes: OU, C (country) and O (organization).

I have seen that in the certificate template in the "Subject Name" tab the option "Supply in the request", when you request the certificate you can manually enter these fields.

However, if the option "build from this Active Directory information" is checked, I don't know how to make these attributes appear in the certificate.

How can I make these attributes appear with the option "build from this Active Directory information"?

Improve this question

1 Answer 1

Reset to default
1

You can't, basically.

When ADCS builds the Subject from AD, it uses the Common Name, Org Unit, and Domain Component structure of the subscriber to create the Subject.

You can choose which format to use, such as DNS name, or Fully distinguished name, but you cannot configure the latter to any level of granularity.

If you think about it, the only subscriber information in AD that is guaranteed to be there is the Common Name and Domain Component, with the Org Unit available if the subject has been placed within an OU in AD. Country and Organization is not guaranteed to be available in AD (both are <not set> by default).

If you want to use the OU=,O=,C= format then your only option is to avoid building the Subject from AD and provide it in the request instead. That, of course, gives you headaches on how to verify the identity of the subscribers which building from AD resolved for you.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .