Should a computer certificate's CN be just the computer name or the fully qualified domain name?

Question

question

ME-6236 asked Mar 29, '22 Crypt32 edited Mar 30, '22

Should a computer certificate's CN be just the computer name or the fully qualified domain name?

When using the Certificate snap-in to request a custom certificate, should the CN of the Subject Name be just the computer's hostname or it's FQDN?

For example, a domain-joined computer called workstation1 in the office.local domain - should CN=workstation1 or CN=workstation1.office.local ?

windows-server-security

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 1 · 2022-03-30T06:51:39.903Z

Crypt32 answered Mar 30, '22 Crypt32 edited Mar 30, '22

Subject field (or CN attribute) is deprecated by RFC 2818. Instead, all relevant names must be specified in Subject Alternative Names (SAN) certificate extension. You can populate this extension under Subject field editor in certificate request manager.

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

question