AD CS: When user-defined subject alternative names are permitted, set all certificate requests to pending

Updated: August 31, 2012

Applies To: Windows Server 2008 R2, Windows Server 2012

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Active Directory Certificate Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

 

Operating System

Windows Server® 2008 R2 and Windows Server® 2012

Product/Feature

Active Directory Certificate Services

Severity

Error

Category

Security

The policy module for a certification authority (CA) is configured to allow the user to define the subject alternative name to be included within a certificate. However, it is not configured to set certificate requests to pending, which requires a certificate manager to review and approve each request.

When users can define the subject alternative name to be included within a certificate, they can specify an identity other than their own. Unless you require a certificate manager to review and approve each request, there is an increased risk of identity spoofing.

Because digital certificates are used to authenticate the identity of the certificate subject, it is important for user-provided subject information to be verified before issuing certificates. If the CA is not configured to set certificate status to pending, then certificates might be automatically issued without explicit approval by a certificate manager.

Configure the policy module for the CA to set all certificate requests to pending and require a certificate manager to review and approve each request before a certificate is issued.

This policy module setting applies to all certificates issued by the CA, and certificates will not be issued to clients until they are approved by a certificate manager.

  1. On the CA, open the Certification Authority snap-in.

  2. In the console tree, right-click the root CA, and click Properties.

  3. Click the Policy Module tab, and then click Properties.

  4. Click Set the certificate request status to pending.

  5. Click OK to save changes.

Community Additions

ADD
Show: