Any way to modify certificate templates to include default SAN entries?

Rob I 1 Reputation point
2021-03-02T21:43:01.24+00:00

For Active Directory domain controllers, the "Kerberos Authentication" certificate template (and newer) include a couple of SAN entry options, like DNS name. This template can be used for auto-enrollment for domain controllers with AD-integrated PKI and domain controllers, which is very nice and really convenient, and it reduces issues with the hands-free nature of this setup.

The problem comes when you are trying to put domain controllers behind a load-balancer, where LDAP over SSL requires the server certificate to have the "common" name present. The typical load-balancer setup would be something like have a VIP and a "common name", like "ldap.mycorp.org".

Well, you cannot make a secure connection (aka, LDAP over SSL) to "ldap.mycorp.org" unless that name is added to the SAN list.

Yes, I know I can created a manual request and supply the SAN entries in the request, but that's now going to require regular attention, making sure certificates don't expire, making sure you run the script or manual request process on any new domain controllers that will be behind a load-balancer.... Too many opportunities for failure!!!

I'm sure I know the answer, but in case there are any super-geek PKI guys here who might have some suggestions beyond the typical "make a manual request and read this link" response. I have ALL the links I need for that. I wrote a script that does ALL of the steps ON the domain controller. The problem is, there is no way to do auto-enrollment, so the missing piece is monitoring for pending certificate expiration, plus then someone has to do a change request and run the manual process.

Ideally, I'd love to know if it's possible to modify the certificate template. I mean, obviously, they have the ability to have a SAN. My whole organization just needs one additional SAN on all DC's, the equivalent of "mycorp.org", except to use the name "ldap.mycorp.org". This should already BE an option!!!!!!

As an alternative, I have a scripted process that works great, but it needs to be run at some point, and NEW DC's need this script run, which is usually the step that gets missed, which causes load-balance issues/failures. I'm not sure what the best way to get this script to run only when it's really needed (at a new DC deployment or a pending certificate expiration).

I know there are some genius PKI guys in this forum, so I'm looking forward to some interesting discussion!!

Thank you for your support!!

-- Rob "I" --

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,932 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,732 questions
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Daisy Zhou 18,721 Reputation points Microsoft Vendor
    2021-03-03T08:05:28.747+00:00

    Hello @RobIngenthron-2975,

    Thank you for posting here.

    Any way to modify certificate templates to include default SAN entries?
    A: After read your post several times, I understand you must supply the SAN entries in the request and request cets using the corresponding certificate template. This can not use cert auto enrollment.

    But if the validity period of the certificate is approaching, the certificate will expire, and you do not want the certs to be expired, so you want to use cert autoenrollment.

    It seems this is contradictory.

    I am sorry, based on my knowledge, I only know we can supply the custom SAN entries in the request.

    Hope some genius PKI guys in this forum can give some ideas and help you better.

    Thank you for your understanding.

    Best Regards,
    Daisy Zhou

    0 comments
  2. Vadims Podāns 9,111 Reputation points MVP
    2021-03-03T08:46:28.463+00:00

    Ideally, I'd love to know if it's possible to modify the certificate template.

    the short answer is NO. Initial provisioning/autoenrollment is not possible with custom SAN, which is not part of dNSHostName DS attribute.

    0 comments
  3. Rob I 1 Reputation point
    2021-03-07T00:07:43.487+00:00

    It is very unfortunate (and a bit difficult to understand) that after all these years we still have no way to add a SAN to a template for a domain controller (given that the ability is already there as you will find the FQDN for your domain listed as a SAN entry).

    I came across another article that seems to state that, even though the auto-enrollment feature will not work, the auto-renewal feature should be able to take care of the renewals to keep it hands off, providing the custom DC certificate that was used to issue the custom certificate to the domain controller. Since the PKI is AD-integrated and the domain controllers are obviously domain-joined, then the auto-renewal should continue to renew the custom certificates without any further manual intervention.

    Reference:
    https://learn.microsoft.com/en-us/archive/blogs/russellt/custom-ldap-certs

    I am disappointed that some of my favorite contributors in this forum did not weigh in.

  4. Alexander Ollischer 0 Reputation points
    2023-10-20T07:28:05.9133333+00:00
    0 comments