This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 64%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
Like many, we have staff working from home now using a VPN to connect back to site. This VPN is secured using credentials and user certificates. The issue is that when these user certificates expire, there's no way for the staff member to request a new one without coming back to site to connect to the internal network. So, I'm looking at using the Enrollment Agent so we can request a cert on their behalf and send it to them securely.
I've setup the enrollment agent template, and the 'enroll on behalf of' template I want to use, and I can initiate the request on behalf of another user using the mmc snapin, but in our case, we need to include a specific subject alternate name in the cert which the VPN auth needs. Whatever I try though, I can't seem to work out if I can include this SAN in the cert template or not - I've tried numerous things on the Subject Name tab in the cert template without success. The SAN needs to be a DNS FQDN, and it's the same for every VPN cert issued. When we do this in the office, we just use the CA Web UI, request a user cert, then add the relevant SAN in the Attributes field - works perfectly. If I try and select the VPN template from the Web UI I don't see the Attributes section, and the cert always says 'this will be saved and not submitted'.
Am I missing something here, or isn't it possible? I don't care if I have to use mmc or the web UI, but it would be good to know if it should work or not with the SAN we need.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello @TonyB ,
Thank you for posting here.
Hope the information Crypt32 provided is helpful.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.
Best Regards,
Daisy Zhou
Hello @TonyB ,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.
Best Regards,
Daisy Zhou
If you supply subject in request during ROBO process, then you don't need ROBO at all. Just use normal enrollment, supply subject and get cert in personal store. Then export it to PFX, delete private key material and send the securely to target user. You overcomplicated the process.