Configuring the subject name
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Configuring the subject name
When establishing a certificate template, the subject name must be defined. This is included in the issued certificate template and must uniquely identify the subject. The subject name can either be built automatically during the certificate request or explicitly defined by the subject and included in the certificate request.
There are a number of options that can be included with the subject name, as well as specific configuration settings for the subject name. The formats and options are:
Subject name formats
| Format | Description |
|---|---|
None |
Does not enforce any name format for this field |
Common name |
The certification authority creates the subject name from the common name (CN) obtained from Active Directory. These should be unique within a domain, but may not be unique within an enterprise. |
Fully distinguished name |
The certification authority creates the subject name from the fully distinguished name obtained from Active Directory. This guarantees that the name is unique within an enterprise. |
Include e-mail name in subject name |
If the e-mail name field is populated in the Active Directory user object, that e-mail name will be included with either the common name or fully distinguished name as part of the subject name. |
Alternate subject name options
| Field | Description | Useful for subject types |
|---|---|---|
E-mail name |
If the e-mail name field is populated in the Active Directory user object, that e-mail name will be used. |
User |
DNS name |
The fully qualified domain name (FQDN) of the subject that requested the certificate. |
Computer |
User principal name (UPN) |
The user principal name is part of the Active Directory user object and will be used. |
User |
Service principal name (SPN) |
The service principal name is part of the Active Directory computer object and will be used. |
Computer |
Notes
If the Subject Name option is set to Supply in the request, one or more Issuance Requirements should be set for the template. If no Issuance Requirements are set, subjects are able to request and obtain certificates that contain any subject name. This would allow subjects to impersonate other subjects easily.
A subject cannot request a certificate with a different subject name from the subject name of the requestor. That name is obtained through security authentication. The only subject that can request a certificate of this type is one who holds a certificate based on the Enrollment Agent template. That subject can request certificates on behalf of any other subject.