Configure Certification Authority Distinguished Name

When building either an Enterprise Certification Authority or a Standalone Certification Authority we have to provide some information during the configuration wizard. In this article, a short one I must say, and a completion of the two mentioned above, I want to talk about one of the screens of the wizard that got my attention, the CA Name screen.

Here, if we leave the Distinguished Name as the AD CS Configuration wizard auto-completes it, we are going to have some missing information when checking the certificate (the CA certificate) in a browser. It’s not a bad thing, the certificate chain will work as it should be working, but I just don’t like the missing information. I know, I’m a perfectionist.

DN auto-configured by the AD CS Configuration wizard

By opening Firefox which is the browser that shows it very well, we can see that no certificate information is available in the Organization (O) and Organizational Unit (OU) rows for the CA certificate. It shows as <Not Part Of Certificate>.

Missing information in the CA certificate     Certificate chain showing missing information in the CA certificate

To make that information available in the CA certificate, make sure you add the O and OU entries in the Distinguished name suffix field when reaching the CA Name screen of the wizard. You can also add your country, locality, city etc just like when requesting a server/client certificate.

C = RO,O = vKernelRO Technology Consulting,OU = vKernelRO Engineering,L = Cluj,ST = Cluj-Napoca,DC = vkernel,DC = local

Configure DN for a CA certificate during the CA deployment

Once the CA is built with a complete DN, open Firefox and verify it. As you can see all the information that was missing is now available in the CA certificate.

Root certificate showing all the information from the Subject filed     Certificate chain showing all the root certificate information from the Subject field

Also, if we take a look at the Subject field of the CA certificate we can see all of the information we have provided in the Distinguished name suffix during the Certification Authority deployment.

Subject filed information of a properly configured CA DN

Now here comes your question: But Adrian, how about adding this information to an already built CA? And I’m going to give you a straight and short answer. You can’t. Once the CA has been built, the only way to put this DN in the CA certificate is by removing the Certification Authority and deploy it once again with the new DN. Sorry guys, it’s just the way it goes, so make sure you do it right from the start.



Not a very important option to configure here, but believe me, once you see your CA configured in depth with no missing information in the certificates, you will have a large smile on your face. And I know Microsoft doesn’t give us too many options to configure our Enterprise CAs, but who knows, maybe one day we will have the flexibility to do more.

Want content like this delivered right to your

email inbox?

Leave a Reply

Your email address will not be published. Required fields are marked *