3.8 Controlling the content of subject alternative names

Microsoft Certificate Services maintains and uses certificate templates stored in Active Directory when processing certificate requests and issuing certificates.

By default, the content for subject alternative names is controlled by the CA, and additional attribute mappings that can specify the subject alternative name are not required, and not accepted. As the MyID application server requests certificates on behalf of the end users, if you want to use additional attribute mappings to control the content of the subject alternative name, you must modify the configuration of the CA to give MyID the ability to specify the subject alternative name content.

Warning: This is a global setting and is not limited to a single template. The CA will accept attributes for subject alternative names for all certificate requests. You are recommended to set up a dedicated CA for MyID to prevent other clients from requesting certificates from the CA. Also, you are recommended to disable any certificate templates that you do not intend to issue using MyID.

To ensure that only the MyID application server can issue certificates, configure the CA to require the use of an enrollment agent certificate.

To enable MyID to specify the content of subject alternative names:

  1. Log on to the CA as an Administrator.

  2. To display a list of the current settings, at the command prompt type:

    CERTUTIL –getreg policy\EditFlags

  3. If ATTRIBUTESUBJECTALTNAME2 is not included in the list, at the command prompt, type:

    CERTUTIL –setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

  4. Restart the CA by entering the following commands, pressing Enter after each one:

    1. NET STOP certsvc
    2. NET START certsvc

    MyID can now control the content of the “Subject Alternative Name” (SubjectAltName2) until you return control to the CA.

To return control of the content of subject alternative names to the CA:

  1. Log on to the CA as an Administrator.

  2. To display the current settings, at the command prompt type:

    CERTUTIL –getreg policy\EditFlags

  3. At the command prompt, type:

    CERTUTIL –setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2

  4. Restart the CA by entering the following commands, pressing Enter after each one:

    1. NET STOP certsvc
    2. NET START certsvc

    Control of the content of “Subject Alternative Name” (SubjectAltName2) returns to the CA.