Subject Names

  • Article

Applies To: Windows Server 2008

The holder of the private key associated with a certificate is known as the subject. This can be a user, a program, or virtually any object or service.

Because the subject can vary greatly depending on who or what it is, some flexibility is needed when providing the subject name in the certificate request. Windows can either build the subject name automatically or request it from the subject manually. If it automatically provides the subject name, Windows obtains the information from Active Directory.

You can configure this process to include or exclude information useful in the environment. If configured to manually provide the subject name, the subject supplies that information in the certificate request, for example by using the Web-based enrollment pages.

Subject names in certificates can be presented using the following formats:

  • Common name. The certification authority creates the subject name from the common name (CN) obtained from Active Directory. This should be unique within a domain, but might not be unique within an enterprise.

  • Fully distinguished name (DN). The certification authority creates the subject name from the fully distinguished name obtained from Active Directory. This guarantees that the name is unique within an enterprise.

  • Include e-mail name in subject name. If the e-mail name field is populated in the Active Directory user object, this e-mail name will be included with either the common name or fully distinguished name as part of the subject name.

  • None. A name value is not required for this certificate.

The following alternate subject name options can also be specified:

  • E-mail name. If the e-mail name field is populated in the Active Directory user object, that e-mail name will be used.

  • DNS name. The fully qualified domain name (FQDN) of the subject that requested the certificate. This is most frequently used in computer certificates

  • User principal name (UPN). The user principal name is part of the Active Directory user object and will be used.

  • Service principal name (SPN). The service principal name is part of the Active Directory computer object and will be used.