Introduction
When constructing a Certificate Signing Request (CSR) it may be required to customize the data sent in the request field. For example, the Common Name (CN) that needs to be encoded into the CSR and displayed as the Subject in the certificate may need to be customized such that it does not use the AD CN attribute value but some customizable value instead.
This article will describe how it is possible to configure the vSEC:CMS such that it will be possible to customize the values that are set in the CSR.
Depending on the Certificate Authority (CA) that you use the configuration steps will vary. In this article we will describe how to configure for a Microsoft CA.
For other supported CAs please refer to the articles that describe how to configure those CA connections which contain details on configuring the request fields.
Microsoft CA
The first step is to configure the certificate template on the MS CA to allow certificate requests to use customizable values in the request to be used as the subject.
From the certificate template on the CA enable the Supply in the request radio button in the Subject Name tab.
You will need to publish the CA template from the MS CA console so that it will be available to vSEC:CMS (see next steps).
1. From vSEC:CMS console navigate to Options – Connections and click the Certificate Authorities.
2. Select the CA Server Template already configured if one has been already configured and click the Edit button otherwise click the Add button to add a new template.
3. Click the Templates button and Update.
4. Select the template already configured on the MS CA template that is to be used. The Fields button will become available. Click the Fields button.
5. By default, the Common Name (CN) name will be populated in the table. This is the common name that will be sent to the CA when the certificate request is sent to the CA. To add more customizable fields click the Fields button. Add CSR fields from the Available pane to the Selected pane that you want to customize and click Ok.
CSR fields that are named Other Name should be used to customize the Subject Alternative Name (SAN). All other fields are to customize the subject field in the certificate. Additionally, RFC822 refers to the SAN email value as per the standard.
It is possible to customize what this value should be by clicking anywhere inside the Value field. This will open a dialog.
6. Enable the Use variable radio button and select the placeholder variable that is mapped to an attribute in your directory. See the article Using Variables to see how you can set up and map variables to attributes.
Enable the Use free text radio button from where it is possible to include an already configured placeholder variable and concatenate this with some free text. For example, the Common Name (CN) could be constructed from the placeholder variable ${CommonName} with free text of “–SomeFreeText” appended to the end of the ${CommonName} value. Then this would be entered as: ${CommonName}–SomeFreeText in the text field.
Add objectSid into Certificate Request
Since Microsoft introduced the enforcement of KB5014754 it is now possible to include the user's objectSid when issuing custom certificates from Microsoft certificate services. This is possible from vSEC:CMS 7.1 and later. This section will describe how you can do this.
Create Variable
The first step is to create a variable that will then be mapped to AD attribute objectSid. From the Admin console navigate to Options - Variables. Click Add and create a variable similar to the sample below and save.
Map Variable
The next step is to map this variable to the AD attribute objectSid. From Templates - Credential Templates select a template that you will be using for the custom certificate issuance and click Edit.
Go to the Issue Credential section and click Edit. In the User ID Options section click Manage. Select the AD connection that you use and Edit. Click the Edit button.
Select the variable added earlier and click Get.
Select a user in your AD. Enter obj in the quick filter field and select the objectSid attribute and click Ok.
Click Ok and Save. Close out of the template to complete this step.
Configure Custom Certificate Field
Now you need to add this custom field to the certificate request. Navigate to the dialog where you can add custom fields as described in the section at the start of this guide. In the Fields dialog add Ms ObjectSID to the Selected pain.
Edit the field and map the variable created earlier for this.
You should see something similar to below.
Save the changes.
Now when you issue the certificate you should see the user's objectSid field in the issued certificate.