AD CS: When user-defined subject alternative names are permitted, set all certificate requests to pending
Applies To: Windows Server 2008 R2, Windows Server 2012
This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Active Directory Certificate Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.
Operating System |
Windows ServerĀ® 2008 R2 and Windows ServerĀ® 2012 |
Product/Feature |
Active Directory Certificate Services |
Severity |
Error |
Category |
Security |
Issue
The policy module for a certification authority (CA) is configured to allow the user to define the subject alternative name to be included within a certificate. However, it is not configured to set certificate requests to pending, which requires a certificate manager to review and approve each request.
Impact
When users can define the subject alternative name to be included within a certificate, they can specify an identity other than their own. Unless you require a certificate manager to review and approve each request, there is an increased risk of identity spoofing.
Because digital certificates are used to authenticate the identity of the certificate subject, it is important for user-provided subject information to be verified before issuing certificates. If the CA is not configured to set certificate status to pending, then certificates might be automatically issued without explicit approval by a certificate manager.
Resolution
Configure the policy module for the CA to set all certificate requests to pending and require a certificate manager to review and approve each request before a certificate is issued.
This policy module setting applies to all certificates issued by the CA, and certificates will not be issued to clients until they are approved by a certificate manager.
To configure the CA policy module
On the CA, open the Certification Authority snap-in.
In the console tree, right-click the root CA, and click Properties.
Click the Policy Module tab, and then click Properties.
Click Set the certificate request status to pending.
Click OK to save changes.
Additional references
Premier Support customers can use an intensive PKI Health Check to review this issue in addition to a thorough evaluation of other issues. For more information, see Public Key Infrastructure Server Health Check Datasheet.