2.14 Using the DeviceSerialNumber X500 attribute

By default, a Microsoft CA does not allow certificates to be issued that contain the DeviceSerialNumber X500 attribute (OID 2.5.4.5) in the subject Distinguished Name. If you need support for this attribute (for example, for the auth cert for PIV or PIV-I cards) you must carry out manual configuration on the CA.

To set up the DeviceSerialNumber X500 attribute:

  1. At the command line on the CA, run the following command:

    certutil -getreg ca\SubjectTemplate

    This queries which X500 attributes are enabled, and the order they appear in the DN.

    By default this returns the following:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<CAName>\SubjectTemplate:

    SubjectTemplate REG_MULTI_SZ =

    0: EMail

    1: CommonName

    2: OrganizationalUnit

    3: Organization

    4: Locality

    5: State

    6: DomainComponent

    7: Country

    CertUtil: -getreg command completed successfully.

  2. Run the following command to insert DeviceSerialNumber into this list:

    certutil -setreg ca\SubjectTemplate "<list of attributes>"

    The list of attributes is separated with \n. For example:

    certutil -setreg ca\SubjectTemplate "EMail\nDeviceSerialNumber\nCommonName\nOrganizationalUnit\nOrganization\nLocality\nState\nDomainComponent\nCountry"

    This inserts DeviceSerialNumber into the list of attributes. If your system has already been modified, you may want to use a different list; use the output from the -getreg command above to determine what attributes you want to use.

  3. Restart the CA service.

  4. Run the following command to confirm that the configuration has been made correctly:

    certutil -getreg ca\SubjectTemplate

    This should now return the following:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<CAName>\SubjectTemplate:

    SubjectTemplate REG_MULTI_SZ =

    0: Email

    1: DeviceSerialNumber

    2: CommonName

    3: OrganizationalUnit

    4: Organization

    5: Locality

    6: State

    7: DomainComponent

    8: Country

    CertUtil: -getreg command completed successfully.

    The DeviceSerialNumber has been added near the beginning of the list. This is the position it will appear in the DN for the issued certificate.

    Note: The list and order of attributes may differ on your system if the CA has already been customized.