Re: Sudden subject change at certificate renewal

From: Han Valk <han.valk@xxxxxxxxxxxxxxxxx>
Date: Wed, 20 Aug 2008 05:30:16 +0200

It seems that the subject change is not so sudden after all.
After a night's sleep I realised that I installed kb943089 on the
w2k3sp2 CA and that I renewed the certificate after the fix was
installed. After uninstalling the hotfix and renewing the certificate
again the subject showed the correct Common Name again being CN =
ServerFQDN.

The article states:
? A Windows Server 2003-based computer hosts an enterprise
certification authority (CA).
? The enterprise CA issues certificates by using a customized
certificate template.
? The certificate template is configured to include the user principal
name (UPN) or the service principal name (SPN) in the alternate
subject name.

First bullet is true in my case, as is the second. The third is not
true, the template is configured to include only the DNS Name in the
SAN.
The Subject is configured to include the Common Name.

To summerize
Without hotfix
Subject: correct Common Name and SAN: DNS Name=FQDN

With hotfix
Subject: computer sAMAccountName@xxxxxxxxxx and SAN: DNS Name=FQDN

My question is: Am I misinterpreting this kb or is the fix solving one
problem but introducing another?

Regards,
Han Valk.

On Tue, 19 Aug 2008 17:40:35 +0200, Han Valk
<han.valk@xxxxxxxxxxxxxxxxx> wrote:

I've configured a certificate template that incorporates the following
Application Policies:
Smart Card Logon
Server Authentication
Client Authentication

This way I can use it on a DC that has IAS installed. The template is
configured in such a way that the Subject gets filled with the Common
Name.
When the DC was enrolled the first time, with the new template, the
Subject contained the FQDN of the server. However when the certificate
was renewed through Autoenrollment the Subject showed
hostname$@domain.tld
Why is this happening?

Regards,
Han Valk.

References:
- Sudden subject change at certificate renewal
  - From: Han Valk

Prev by Date: Re: Are CSPs in a Certificate Template hard coded?
Next by Date: Re: Are CSPs in a Certificate Template hard coded?
Previous by thread: Sudden subject change at certificate renewal
Next by thread: Are CSPs in a Certificate Template hard coded?
Index(es):
- Date
- Thread

Relevant Pages

RE: Certsrv and Autoenrollment problem
... Thank you for posting to the SBS Newsgroup. ... so it will not be instantiated on the template ... Certificate Authority snap-in will show the templates in the Certificate ... Microsoft CSS Online Newsgroup Support ...
(microsoft.public.windows.server.sbs)
Re: Problems requesting computer certificates on an issuing CA
... The exact permissions on my template are: ... I tried to manually enroll for a computer certificate based on ... CA allows the computers to request certificates. ...
(microsoft.public.windows.server.security)
Re: Error enrolling machine certs
... failing to enroll using Domain Controller template. ... certificate templates and to the certificate services - everything that can ... > computer as a local admin to request a computer certificate either through ...
(microsoft.public.windows.server.security)
Re: Win2003 server: certificate templates
... The best way will be to enroll from the web page. ... request a machine certificate from a user account. ... > I created a "serverCert" template by modifying the "computer" template, ... > but I cannot access "serverCert" through the mmc panel. ...
(microsoft.public.win2000.security)
Re: Encryption > access denied after importing key with Certificate
... > sec' template, do u think this could have something to do ... > The steps im taking to export the PFX key along with Cer ... >>Select option to export certificate along with Key ... > cant open the encrypted files & when i import the PFX/CER ...
(microsoft.public.windowsxp.security_admin)