In Active Directory Certificate Services (AD CS), there are situations where a custom Subject Name must be provided in requests. This could involve including specific details such as the organization, Organizational Unit (OU), or a custom Common Name (CN). However, enabling the option to 'Supply in the request' for the Subject Name raises security concerns and is often flagged by assessment tools due to the potential for abuse if permissions are misconfigured. Given these concerns, what are the best practices for implementing this securely? What alternatives exist that avoid introducing vulnerabilities?
1 Answer
To ensure security when allowing custom Subject Names, you should restrict the machines that can request such certificates. It’s also crucial to enable CA manager approval for all requests to add an extra security layer.
That's a good solid approach! This should definitely help pass security assessments like Ping Castle.