Configuring the subject name

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Configuring the subject name

When establishing a certificate template, the subject name must be defined. This is included in the issued certificate template and must uniquely identify the subject. The subject name can either be built automatically during the certificate request or explicitly defined by the subject and included in the certificate request.

There are a number of options that can be included with the subject name, as well as specific configuration settings for the subject name. The formats and options are:

Subject name formats

Format Description

None

Does not enforce any name format for this field

Common name

The certification authority creates the subject name from the common name (CN) obtained from Active Directory. These should be unique within a domain, but may not be unique within an enterprise.

Fully distinguished name

The certification authority creates the subject name from the fully distinguished name obtained from Active Directory. This guarantees that the name is unique within an enterprise.

Include e-mail name in subject name

If the e-mail name field is populated in the Active Directory user object, that e-mail name will be included with either the common name or fully distinguished name as part of the subject name.

Alternate subject name options

Field Description Useful for subject types

E-mail name

If the e-mail name field is populated in the Active Directory user object, that e-mail name will be used.

User

DNS name

The fully qualified domain name (FQDN) of the subject that requested the certificate.

Computer

User principal name (UPN)

The user principal name is part of the Active Directory user object and will be used.

User

Service principal name (SPN)

The service principal name is part of the Active Directory computer object and will be used.

Computer

Notes

  • If the Subject Name option is set to Supply in the request, one or more Issuance Requirements should be set for the template. If no Issuance Requirements are set, subjects are able to request and obtain certificates that contain any subject name. This would allow subjects to impersonate other subjects easily.

  • A subject cannot request a certificate with a different subject name from the subject name of the requestor. That name is obtained through security authentication. The only subject that can request a certificate of this type is one who holds a certificate based on the Enrollment Agent template. That subject can request certificates on behalf of any other subject.