0

In AD Certificate Templates the templates have an option to build from AD information and includes Email, DNS, UPN, etc.

enter image description here

When creating a CSR using powershell, openssl and the certificate mmc snap-in I know its possible to add additional attributes like State, City, Organization, Organization Unit, Locality and others. Is it possible to have this type of information pulled from AD so when servers are set to auto-enroll this kind of additional information is included in the cert?

I know additional information can be added to AD users/objects using Attribute Editor but I'm not sure if you can specify certificate templates to pull this information.

Thanks!

jrd1989
  • 698
  • 15
  • 48

2 Answers2

1

Not with built-in functionality. You have to write a custom policy module by implementing ICertPolicy2 interface and then inside ICertPolicy::VerifyRequest call ICertServerPolicy::SetCertificateProperty to modify subject to include custom RDNs.

Crypt32
  • 6,639
  • 1
  • 15
  • 33
1

I've written a policy module in C#, find it here: https://github.com/Sleepw4lker/TameMyCerts.

The upcoming version will definitely include the feature you described for user accounts. Maybe I'll implement it for machine accounts as well.

Kind regards

Sleepw4lker
  • 11
  • 1