Configure Certification Authority Distinguished Name
When building either an Enterprise Certification Authority or a Standalone Certification Authority we have to provide some information during the configuration wizard. In this article, a short one I must say, and a completion of the two mentioned above, I want to talk about one of the screens of the wizard that got my attention, the CA Name screen.
Here, if we leave the Distinguished Name as the AD CS Configuration wizard auto-completes it, we are going to have some missing information when checking the certificate (the CA certificate) in a browser. It’s not a bad thing, the certificate chain will work as it should be working, but I just don’t like the missing information. I know, I’m a perfectionist.
By opening Firefox which is the browser that shows it very well, we can see that no certificate information is available in the Organization (O) and Organizational Unit (OU) rows for the CA certificate. It shows as <Not Part Of Certificate>.
To make that information available in the CA certificate, make sure you add the O and OU entries in the Distinguished name suffix field when reaching the CA Name screen of the wizard. You can also add your country, locality, city etc just like when requesting a server/client certificate.
C = RO,O = vKernelRO Technology Consulting,OU = vKernelRO Engineering,L = Cluj,ST = Cluj-Napoca,DC = vkernel,DC = local
Once the CA is built with a complete DN, open Firefox and verify it. As you can see all the information that was missing is now available in the CA certificate.
Also, if we take a look at the Subject field of the CA certificate we can see all of the information we have provided in the Distinguished name suffix during the Certification Authority deployment.
Now here comes your question: But Adrian, how about adding this information to an already built CA? And I’m going to give you a straight and short answer. You can’t. Once the CA has been built, the only way to put this DN in the CA certificate is by removing the Certification Authority and deploy it once again with the new DN. Sorry guys, it’s just the way it goes, so make sure you do it right from the start.
Summary
Not a very important option to configure here, but believe me, once you see your CA configured in depth with no missing information in the certificates, you will have a large smile on your face. And I know Microsoft doesn’t give us too many options to configure our Enterprise CAs, but who knows, maybe one day we will have the flexibility to do more.
Want content like this delivered right to your
email inbox?