Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: Modify Subject When Issuing Certificates

1,227 views
Skip to first unread message

Jediah L

unread,
Jan 29, 2008, 9:11:31 AM1/29/08
to
Once a certificate is issued, as far as I know, changing the subject name
will invalidate the signature.

If you are in the process of issuing a certificate, it all depends on
whether the Template itself (If this is an Enterprise Certificate Authority)
will support supplying the subject name in the request or not.

If the template supports supplying subject (or it is a non-enterprise CA) -
then you can supply the name by manually creating the request using the
certreq.exe utility.

The Microsoft PKI book written by Brian Komar and the Microsoft PKI team has
examples, as well as has a utility to build the INF file needed as an input
into this process.


"PenaltyKick" <Penal...@discussions.microsoft.com> wrote in message
news:5869AB4B-FB21-467B...@microsoft.com...
> What are options to modify the Subject name, during certificate issuance
> from
> a Microsoft Windows 2003 CA. Obviously I don't have access to the real
> private key from the actual Subscriber.
>
> Looking for a command line tool -- Perhaps counter-signing the CSR as a
> trusted enrollment agent, or something? Trying to avoid creating a whole
> new
> Policy module for the CA. I've looked at certutil -setattributes and
> -setextensions, but those don't seem to be able to modify the actual
> Subject
> name.
>
> Suggestions appreciated!


PenaltyKick

unread,
Jan 29, 2008, 3:01:01 PM1/29/08
to
Thanks Jediah,

Yes, of course an issued certificate cannot be changed, and no problem
issuing the cert if the CSR was structured properly. My question was, how do
I modify the Subject Name as required, during the issuance process? This is
a Registration Authority function. Either I modify the CSR itself, as a
trusted agent, or I make the request pending in the CA, and "tweak" it there,
just before approving the cert. I am trying to figure out how to go about
this in a Microsoft product? (I will get that book too, just hoping somebody
can give me the "clue" I need...)

Martin Rublik

unread,
Jan 30, 2008, 9:08:48 AM1/30/08
to
Hi,

you can change pending request Subject Name as follows:

1. First run

certutil -setreg ca\CRLFlags +CRLF_ALLOW_REQUEST_ATTRIBUTE_SUBJECT

2. Restart certificate services

First two steps need be executed only once. For more info on these two steps see

http://technet2.microsoft.com/windowsserver/en/library/f8636179-2abe-4cf8-b583-a98dc1abe4361033.mspx?mfr=true


3. Use certutil to manipulate request as follows:

certutil -setattributes <RequestID> "CommonName:<NameToChange>"

e.g.

certutil -setattributes 8 "CommonName:New Name"

if you need to add multiple components try this:

certutil -setattributes 10
"CommonName:TEST\nOrganizationalUnit:Test1OU\nOrganizationalUnit:Test2OU"

For the DN components naming see this post
http://groups.google.com/group/microsoft.public.windows.server.security/browse_thread/thread/fe2af86a8f5cb6d8/de3d4c31962ddb29?lnk=st&q=Win2003+PKI+%3A+certreq.exe+using+%27special%27+subject+fields#de3d4c31962ddb29


HTH

Martin

0 new messages