We need to issue certificates that contain the logonname in the CN of the subject.
Currently the DN is included in the subject. The CN should contain in this case LogonName fredsmith or the email firstname.lastname@example.org
With the standard configuration of the templates of the CA this cannot be configured.
We are using the extension in MyID to edit the attributes in the Certificate Authority configuration of the template.
It seems that currently only SAN Attributes can be configured. Is there maybe a way to extend this, that also the Subject can be configured?
Currently we are using “supply in request” on the MS CA template.
When using a customPKCS10Creator, can this be restricted to specific templates (or profiles) or is then the CN changed for every certificate that uses “supply in request”?
You cannot get the granular control by using a customPKCS10Creator as it will affect all the “supply in request” certificate requests.
You have more control using an alternative CA template with “build from directory”, as you can control the use of the template through the MyID credential profiles. The downside of this approach is that you may need to modify the user accounts to accommodate this, so it is recommended that you experiment with this on a test system first. This is outside of MyID’s control and therefore not something we are able to advise on in detail, but as an example, you could do something like this:
You could set up a user with a name of email@example.com and ensure that both the name and the logon name match.