none
How does the CA perform this: "Publish certificate in Active Directory"

    Question

  • There isn't much information on the how a CA goes about the "Publish a certificate in Active Directory" process.....in fact there is next to zero information at all!

    So, according to the documentation "A Microsoft certification authority (CA) can add certificates that have been issued to Active Directory subjects to the appropriate Active Directory object."

    How does the CA make the determination about which is the "appropriate Active Directory object" to publish the certificate to?

     

    For instance, if a certificate template is configured so that:

    • the Subject Name option is set to "Supply in the request"
    • the "Publish certificate in Active Directory" is set
    • and the requestor is someone who holds an Enrollment Agent certificate.

     

    How would the CA determine which is the most appropriate Active Directory object to publish this too?

    What steps does it take?

    Is there any order of preference for identifying which AD object to publish it to?

     

    Thanks

    Cheers

    Phil

    Friday, September 16, 2011 12:53 AM

Answers

  • On Fri, 16 Sep 2011 00:53:58 +0000, Philip Richardson wrote:

    For instance, if a certificate template is configured so that:

    * the Subject Name option is set to "Supply in the request" * the "Publish certificate in Active Directory" is set * and the requestor is someone who holds an Enrollment Agent certificate.

    How would the CA determine which is the most appropriate Active Directory object to publish this too?

    What steps does it take?

    Is there any order of preference for identifying which AD object to publish it to?

    It really doesn't matter how the Subject name is generated or whom the
    requestor is, the CA will publish the certificate to the account that
    matches the Subject or the SAN. Publishing it to any other account simply
    doesn't make any sense.


    Paul Adare
    MVP - Identity Lifecycle Manager
    http://www.identit.ca
    CChheecckk yyoouurr dduupplleexx sswwiittcchh..

    • Marked as answer by Bruce-Liu Monday, September 19, 2011 7:27 AM
    Friday, September 16, 2011 6:38 AM

All replies

  • On Fri, 16 Sep 2011 00:53:58 +0000, Philip Richardson wrote:

    For instance, if a certificate template is configured so that:

    * the Subject Name option is set to "Supply in the request" * the "Publish certificate in Active Directory" is set * and the requestor is someone who holds an Enrollment Agent certificate.

    How would the CA determine which is the most appropriate Active Directory object to publish this too?

    What steps does it take?

    Is there any order of preference for identifying which AD object to publish it to?

    It really doesn't matter how the Subject name is generated or whom the
    requestor is, the CA will publish the certificate to the account that
    matches the Subject or the SAN. Publishing it to any other account simply
    doesn't make any sense.


    Paul Adare
    MVP - Identity Lifecycle Manager
    http://www.identit.ca
    CChheecckk yyoouurr dduupplleexx sswwiittcchh..

    • Marked as answer by Bruce-Liu Monday, September 19, 2011 7:27 AM
    Friday, September 16, 2011 6:38 AM
  • Hi,

    Sorry for posting in this old thread, but I really need some help on this.

    I have a Windows CA (W2K12 R2) configuration where I use a User based custom certificate template. The "Publish certificate in Active Directory" setting is enabled. Then I have the SCEP Application Pool in IIS configured to run under a dedicated user, i.e., "ndes_user" that is in the Cert Publishers group. 

    I'm using a Java SCEP protocol implementation to request certificates via the http://<ca server>/CertSrv junction. All the certificates that are issued end up being published in the AD object of the ndes_user, instead of the user object for which the SAN and/or Subject name match. If I run the SCEP Application Pool under another user, then the certificates only get published in that user's AD object instead.

    What I'd like is to have the certificates being published in the AD objects of the users for which the SAN/Subject match. This does not seem to work in my case. What am I doing wrong?

    I have read the "What is the Certificate Template setting Publish certificate in Active Directory?", but I still have no clue.


    • Edited by P.G.Petrov Thursday, May 17, 2018 8:07 AM
    Thursday, May 17, 2018 8:05 AM