question

GreggHughes-3883 avatar image
0 Votes"
GreggHughes-3883 asked Crypt32 answered

fake email for autoenroll template?

Good morning, all!

I'm almost finished migrating from an old 2008 R2 CA to a new two-tier infrastructure CA on Server 2019. I have some service user accounts that are being rejected at the CA because they don't have an email address. These are shared, service-type accounts that have severely limited rights.

Can I insert a fake email into the account? The user would never send or receive email, so it's just a place holder. If that would satisfy the issuing CA and clear the rejected certificates so I can easily isolate genuine problems, that's the idea. I'm also looking into moving these accounts into a separate OU but they don't necessarily share the same characteristics, so it would take some fancy engineering and testing on a production account.

Thanks to all for looking!

windows-server-security
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Does the certificate really needs an email address to include in it?

0 Votes 0 ·

I'd have to check. There are real people receiving these certificates, though, so you'd want a way to contact that user if the cert blows up for some reason.....

0 Votes 0 ·

1 Answer

Crypt32 avatar image
0 Votes"
Crypt32 answered

If people don't use certificates based on this particular template to sign/encrypt emails, you safely can go to template settings, Subject tab and uncheck Email checkbox.

If they do (I doubt really, but anyway), you can put arbitrary email address in user account properties in AD for your service accounts.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.