question

WintelGeek avatar image
0 Votes"
WintelGeek asked ·

Any way to modify certificate templates to include default SAN entries?

For Active Directory domain controllers, the "Kerberos Authentication" certificate template (and newer) include a couple of SAN entry options, like DNS name. This template can be used for auto-enrollment for domain controllers with AD-integrated PKI and domain controllers, which is very nice and really convenient, and it reduces issues with the hands-free nature of this setup.

The problem comes when you are trying to put domain controllers behind a load-balancer, where LDAP over SSL requires the server certificate to have the "common" name present. The typical load-balancer setup would be something like have a VIP and a "common name", like "ldap.mycorp.org".

Well, you cannot make a secure connection (aka, LDAP over SSL) to "ldap.mycorp.org" unless that name is added to the SAN list.

Yes, I know I can created a manual request and supply the SAN entries in the request, but that's now going to require regular attention, making sure certificates don't expire, making sure you run the script or manual request process on any new domain controllers that will be behind a load-balancer.... Too many opportunities for failure!!!

I'm sure I know the answer, but in case there are any super-geek PKI guys here who might have some suggestions beyond the typical "make a manual request and read this link" response. I have ALL the links I need for that. I wrote a script that does ALL of the steps ON the domain controller. The problem is, there is no way to do auto-enrollment, so the missing piece is monitoring for pending certificate expiration, plus then someone has to do a change request and run the manual process.

Ideally, I'd love to know if it's possible to modify the certificate template. I mean, obviously, they have the ability to have a SAN. My whole organization just needs one additional SAN on all DC's, the equivalent of "mycorp.org", except to use the name "ldap.mycorp.org". This should already BE an option!!!!!!

As an alternative, I have a scripted process that works great, but it needs to be run at some point, and NEW DC's need this script run, which is usually the step that gets missed, which causes load-balance issues/failures. I'm not sure what the best way to get this script to run only when it's really needed (at a new DC deployment or a pending certificate expiration).

I know there are some genius PKI guys in this forum, so I'm looking forward to some interesting discussion!!

Thank you for your support!!


  • Rob "I" --

windows-active-directorywindows-server-security
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered ·

Hello @RobIngenthron-2975,

Thank you for posting here.

Any way to modify certificate templates to include default SAN entries?
A: After read your post several times, I understand you must supply the SAN entries in the request and request cets using the corresponding certificate template. This can not use cert auto enrollment.

But if the validity period of the certificate is approaching, the certificate will expire, and you do not want the certs to be expired, so you want to use cert autoenrollment.

It seems this is contradictory.

I am sorry, based on my knowledge, I only know we can supply the custom SAN entries in the request.

Hope some genius PKI guys in this forum can give some ideas and help you better.

Thank you for your understanding.



Best Regards,
Daisy Zhou

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crypt32 avatar image
0 Votes"
Crypt32 answered ·

Ideally, I'd love to know if it's possible to modify the certificate template.

the short answer is NO. Initial provisioning/autoenrollment is not possible with custom SAN, which is not part of dNSHostName DS attribute.
·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

WintelGeek avatar image
0 Votes"
WintelGeek answered ·

It is very unfortunate (and a bit difficult to understand) that after all these years we still have no way to add a SAN to a template for a domain controller (given that the ability is already there as you will find the FQDN for your domain listed as a SAN entry).

I came across another article that seems to state that, even though the auto-enrollment feature will not work, the auto-renewal feature should be able to take care of the renewals to keep it hands off, providing the custom DC certificate that was used to issue the custom certificate to the domain controller. Since the PKI is AD-integrated and the domain controllers are obviously domain-joined, then the auto-renewal should continue to renew the custom certificates without any further manual intervention.

Reference:
https://docs.microsoft.com/en-us/archive/blogs/russellt/custom-ldap-certs


I am disappointed that some of my favorite contributors in this forum did not weigh in.

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

It is very unfortunate (and a bit difficult to understand) that after all these years we still have no way to add a SAN to a template for a domain controller (given that the ability is already there as you will find the FQDN for your domain listed as a SAN entry).

Certificate templates are not designed to be requester-specific, they are designed to provide rules on how to construct the certificate depending on its use type. Providing explicit SAN inclusion in certificate template may lead to a security breach when requester gets a certificate with the name requester isn't authorized for. This is why Microsoft never added this functionality into certificate template. Templates already provide you an ability to include custom subject and SAN, but initial automatic provisioning through autoenrollment is disabled. This is the key point of my previous answer.

0 Votes 0 ·