I've received a CSR from a client with a CN, but not with all the subject fields we require.
According to this answer from Scott*, it should be possible to specify the final subject values when the CA issues the certificate, taking or leaving CSR values at will.
I could just generate their cert from scratch, but then I need to start exporting and mailing around private keys. I'd prefer to use the public key they've submitted with the CSR.
Is anyone aware of a method using the certificate services web interface, the CA MMC snap-in, or the MS command-line tools (certreq, certutil, certmgr etc.) to accomplish this?
It seems installing openssl would be my best bet, but I'd prefer to not modify the environment on the CA servers unless absolutely necessary. Another possibility would be a powershell module, if there is one that operates from the perspective of an issuer rather than a requester (we don't enable remote requests of server auth certs, rather we ask for a CSR and use the web interface to generate it by pasting the base64 data into the form.)
I haven't found any workable powershell modules so far, however - they are either client-side or don't allow modifying properties as part of the issuance.
I'd appreciate any insight. If for some reason openSSL won't work even if I try (eg. perhaps it can't interface with a windows CA to issue certificates), that would be good to know too.
*"A CA creates your cert and uses whatever parts of the CSR subject it sees fit"
0 Answers