question

BradSwientoniowski-2681 avatar image
0 Votes"
BradSwientoniowski-2681 asked Crypt32 answered

Can I issue certs from an Enterprise CA for a different domain name?

We have an active directory domain named after one of two companies that merged to form our current company. Let's call it oldcompany1.com This is the AD domain we kept post merger.

We did register a public Internet domain with the new company name after the merger. Let's call it MergedCompany.com

We do have "mergedcompany.com" configured as a primary forward lookup zone integrated into AD DNS.

There are only a few internal resources we have static records for in our mergedcompany.com DNS zone.

Would I be able to issue certificates with the subject name or SAN for something like "intranet.mergedcompany.com" from our enterpriseCA.oldcompany1.com? Is it just a matter of putting the other domain in the subject name/SAN field in the certificate request?

windows-server-security
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
Before going further, would you please tell did you create the trust between the 2 domains?
Did you create the DNS forward for each other?
I would like to do a test in my lab.
Best Regards,

1 Vote 1 ·

The other domain doesn't exist as an actual AD domain. It's just a domain NAME that is configured as a forward lookup zone in DNS.

0 Votes 0 ·

1 Answer

Crypt32 avatar image
0 Votes"
Crypt32 answered

Yes, you can do this by using Web Server or derived certificate template. This template by default accepts user-supplied subject, so you can insert whatever name you need in subject alternative name. The process is well described in my blog post: https://www.sysadmins.lv/blog-en/web-server-certificate-enrollment-with-san-extension.aspx

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.