User certificate with addition UPN suffix

Federico Coppola 1,181 Reputation points
2022-11-11T18:24:50.02+00:00

Hi all,
In our company we use user certificate to login client to VPN SSL access.
Company firewall is integrated with local Certification Authority.
The system works fine at the moment, however we added an additional UPN suffix.

Employees UserPrincipalName is name@mathieu.company .local, but we added additional UPN suffix to change UserPrincipalName in "name@mathieu.company .com", so UPN and mail are the same.
Can I generate user certificate using addition UPN suffix instead of the original one?

CA VM runs Windows Server 2016 Datacenter.

Thanks a lot
Federico

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,778 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Federico Coppola 1,181 Reputation points
    2022-11-16T08:54:48.86+00:00

    any suggestions?

    0 comments No comments

  2. Bertrand PERRET 61 Reputation points
    2022-11-16T20:41:28.887+00:00

    Hello,

    I think this can help you :

    https://www.alitajran.com/add-upn-suffix-in-active-directory/

    Regards.

    0 comments No comments

  3. Daisy Zhou 21,046 Reputation points Microsoft Vendor
    2022-11-22T02:37:24.427+00:00

    Hello FedericoCoppola-2569,

    Thank you for posting in our Q&A forum.

    Q:Can I generate user certificate using addition UPN suffix instead of the original one?
    A: I think it should be OK.

    For example:

    1-My domain name is b.com.

    2-I set Alternative subject name on certificate template.
    262767-222.png

    3-I add a.local as addition UPN suffix.
    262871-111.png

    4-I issue user certificate to Administrator using CA with different UPN suffix.
    262787-333.png

    To make sure this change is feasible, we recommend that you test it out with a test account.

    That is, copy the original certificate from the user store, then delete the original certificate, store only the new certificate with new addition UPN suffix, and then check if you can use the VPN.

    If everything is OK, you can make this change on all the users.

    Hope the information above is helpful.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments