Customized certificates and Windows CA

September 3, 2007

Hello, I am trying to figure out if there is a possibility to generate

custom subject name in a certificate, that should be issued by Windows

Server 2008 Certification Authority to Windows Vista Client OR by

Windows Server 2003 CA to Vista.

Early, in Windows Server 2003 Custom Certificate Lifecycle Manager

Policy module (from Certificate Lifecycle Manager

Microsoft.Clm.PolicyModulePlugins.dll) was used to issue certificates

with modified subject name and other custom fields. Old platform

doesn't support Windows Vista and IE7 anymore due to deprecation of

XEnroll interface, and all attempts to use

Microsoft.Clm.PolicyModulePlugins.dll on Windows Server 2008 CA are

failed:

-Default Windows Server 2008 Web enrollment pages send requests that

are not recognized by Certificate Lifecycle Manager Policy module

(module passes the requests to Default Windows module, which doesn't

customize anything). In the same situation Windows Server 2003 issues

the correct customized certificate

-Web Portal, that comes with Identity Lifecycle Manager 2007 (which

should more likely work better with it own Certificate Lifecycle

Manager Policy module ) neither supports Windows Server 2008 CA

(reported here also

nor recognizes Windows Vista as a Client when installed on Windows

Server 2003, that requests certificates (XEnroll loading message hangs

the browser)

-Default Windows Server 2008 Web enrollment pages, transferred to

Windows Server 2003, where Certificate Lifecycle Manager Policy module

in order to work with Windows Vista requests issues correct customized

certificates only if requester doesn't use IE7 (=Vista). If a Vista

client tries to get a certificate - certificate is generated without

any customizations.

Please, if anybody has worked with the issue or at least can give me

some advice, I would be very grateful for an answer.

Thanks in advance, Alexey

Recommended Posts