Subject Names

§

The holder of the private key associated with a certificate is known as the subject. This can be a user, a program, or virtually any object, computer, or service.

Because the subject name can vary greatly depending on who or what the subject is, some flexibility is needed when providing the subject name in the certificate request. Windows can build the subject name automatically from subject information stored in Active Directory Domain Services (AD DS) or the subject name can be supplied manually by the subject (for example, by using certificate enrollment Web pages to create and submit a certificate request).

Enterprise certification authorities (CAs) include the Certificate Templates snap-in to configure certificate templates. Use the Subject Name tab on the certificate template properties sheet to configure subject name options.

Supply in the request

When the Supply in the request option is selected, the Use subject information from existing certificates for autoenrollment renewal requests option is available to simplify the task of adding the subject name to the certificate renewal request and to allow computer certificates to be renewed automatically. Subject information from existing certificates is not used for automatic renewal of user certificates.

The Use subject information from existing certificates for autoenrollment renewal requests option causes the certificate enrollment client to read subject name and subject alternative name information from an existing computer certificate based on the same certificate template when creating renewal requests automatically or using the Certificates snap-in. This applies to computer certificates that are expired, revoked, or within their renewal period.

Build from AD DS

When the Build from this Active Directory information option is selected, the following additional options can be configured.

Subject name format

SettingDescription

Common name

The CA creates the subject name from the common name (CN) obtained from AD DS. This should be unique within a domain but might not be unique within an enterprise.

Fully distinguished name (DN)

The CA creates the subject name from the fully distinguished name obtained from AD DS. This ensures that the name is unique within an enterprise.

Include e-mail name in subject name

If the E-mail name field is populated in the Active Directory user object, this e-mail name will be included with either the common name or fully distinguished name as part of the subject name.

None

A name value is not required for this certificate.

Include this information in alternate subject name

SettingDescription

E-mail name

If the E-mail name field is populated in the Active Directory user object, this e-mail name will be used.

DNS name

This is the fully qualified domain name (FQDN) of the subject that requested the certificate. This is most frequently used in computer certificates.

User principal name (UPN)

The user principal name is part of the Active Directory user object and will be used.

Service principal name (SPN)

The service principal name is part of the Active Directory computer object and will be used.

⇒⇒Certificate Manager "certmgr.msc" Manual

✍: Microsoft

2016-08-06, 3753🔥, 0💬