Managing MS AD certificate templates

Edit a certificate template mapping

  • SSL certificates

  • Client certificates

  • Device certificates

  1. Navigate to Enrollment  MS AD Certificate Template Mapping.

  2. Select the template mapping you want to edit, and click Edit.

  3. Complete the Edit MS AD Certificate Template Mapping fields based on the information provided in the following table.

    Column Description

    MS AD Template

    MS Agent

    The MS agent through which certificate requests are brought from MS AD to SCM.

    MS AD Template

    The MS AD certificate template configured on the AD server.

    Certificate

    Certificate Type

    The type of certificate that is requested using this template.

    For SSL certificates the value must be SSL Certificate.

    Term

    The validity period configured for the selected Sectigo certificate profile in SCM.

    Certificate Profile

    The Sectigo certificate profile configured to be issued when a certificate request is brought into SCM by the selected MS agent.

    Attributes Mapping

    The mapping of attributes brought from MS AD to the associated values in SCM certificate profiles.

    Attribute mapping is not available for SSL certificates.

    Term

    The validity period of the certificate, as defined in the selected template.

    Key Usage

    Key usage defined in the selected MS AD certificate template.

    Extended Key Usage

    Extended key usage defined in the selected MS AD certificate template.

  4. Click Save.

  1. Navigate to Enrollment  MS AD Certificate Template Mapping.

  2. Select the template mapping you want to edit, and click Edit.

  3. Complete the Edit MS AD Certificate Template Mapping fields based on the information provided in the following table.

    Column Description

    MS AD Template

    MS Agent

    The MS agent through which certificate requests are brought from MS AD to SCM.

    MS AD Template

    The MS AD certificate template configured on the AD server.

    Certificate

    Certificate Type

    The type of certificate that is requested using this template.

    For Client certificates the value must be Client Certificate.

    Term

    The validity period configured for the selected Sectigo certificate profile in SCM.

    Certificate Profile

    The Sectigo certificate profile configured to be issued when a certificate request is brought into SCM by the selected MS agent.

    Attributes Mapping

    The mapping of attributes brought from MS AD to the associated values in SCM certificate profiles.

    This mapping can override settings specified in the MS AD Certificate Template.

    Term

    The validity period of the certificate, as defined in the selected template.

    Key Usage

    Key usage defined in the selected MS AD certificate template.

    Extended Key Usage

    Extended key usage defined in the selected MS AD certificate template.

  4. (Optional) customize the attributes mapping.

    1. Click Customize Attributes.

    2. Complete the Attributes Mapping fields based on the information provided in the following table.

      Field Description

      Attribute

      Indicates the terms used by SCM.

      The default attributes are:

      • Common Name — The domain to which the certificate is to be issued.

        An email can also be included in the CN field. The maximum allowed character length for this field is 64.

      • DNS — DNS hostname.

      • Department Name — The name of the department in which the end-user works.

      • Email — The email address of the end-user.

        If this attribute is mapped and Send to CA is selected, the end-user’s email address is included in the certificate’s Subject and SAN fields.

      • First Name — The end-user’s first name.

      • Last Name — The end-user’s surname.

      • Organization Name — The name of the company for which the end-user works.

      • SPN — The unique identifier of the service instance.

      • Secondary Email — Additional email address for the end-user.

      • UPN — The email address that should appear as principal name in the certificate to be issued.

        Client certificates issued to end-users of organizations or departments with principal name support enabled (the option is off by default) include a Principal Name, in addition to the RFC 822 name, in the SAN field.

      Value

      Indicates the equivalent terms used in MS AD or a static value unrelated to MS AD.

      When you start typing a value, a list of suggested AD attributes is populated. If a static value is used, it must be enclosed in quotation marks.

      Send to CA

      Enables attributes to be included (selected) or excluded from (not selected) the transition of the incoming request to the CA.

      If a check box is disabled (grayed out), it means that the attribute is mandatory for the CA and must be included in the request. In case of device certificates, all customized attributes are sent to CA.

      Add

      Adds an SCM attribute to be mapped.

      Duplicate attributes are not permitted.

      Reset To Default

      Resets all attributes and values to the default customized mapping.

      Remove

      Prevents the attribute from being populated in the Person profile and from being included in the certificate request sent to Sectigo.

      Some attributes represent a mandatory detail of the connected Person profile and cannot be deleted.

    3. Click Save.

  5. Click Save.

  1. Navigate to Enrollment  MS AD Certificate Template Mapping.

  2. Select the template mapping you want to edit, and click Edit.

  3. Complete the Edit MS AD Certificate Template Mapping fields based on the information provided in the following table.

    Column Description

    MS AD Template

    MS Agent

    The MS agent through which certificate requests are brought from MS AD to SCM.

    MS AD Template

    The MS AD certificate template configured on the AD server.

    Certificate

    Certificate Type

    The type of certificate that is requested using this template.

    For Device certificates the value must be Device Certificate.

    Term

    The validity period configured for the selected Sectigo certificate profile in SCM.

    Certificate Profile

    The Sectigo certificate profile configured to be issued when a certificate request is brought into SCM by the selected MS agent.

    Attributes Mapping

    The mapping of attributes brought from MS AD to the associated values in SCM certificate profiles.

    This mapping can override settings specified in the MS AD Certificate Template.

    Term

    The validity period of the certificate, as defined in the selected template.

    Key Usage

    Key usage defined in the selected MS AD certificate template.

    Extended Key Usage

    Extended key usage defined in the selected MS AD certificate template.

  4. (Optional) customize the attributes mapping.

    1. Click Customize Attributes.

    2. Complete the Attributes Mapping fields based on the information provided in the following table.

      Field Description

      Attribute

      Indicates the terms used by SCM.

      The default attributes are:

      • DNS Name — DNS hostname.

      • Email address — The email address of the end-user.

      • RFC 822 name — The email address of the end-user included in the certificate’s SAN.

      • Service principal name — The unique identifier of the service instance.

      • User principal name — The email address that should appear as principal name in the certificate to be issued.

      Value

      Indicates the equivalent terms used in MS AD or a static value unrelated to MS AD.

      When you start typing a value, a list of suggested AD attributes is populated. If a static value is used, it must be enclosed in quotation marks.

      Add

      Adds an SCM attribute to be mapped.

      Duplicate attributes are not permitted.

      Reset To Default

      Resets all attributes and values to the default customized mapping.

      Remove

      Prevents the attribute from being populated in the Person profile and from being included in the certificate request sent to Sectigo.

      Some attributes represent a mandatory detail of the connected Person profile and cannot be deleted.

    3. Click Save.

  5. Click Save.

Delete certificate template mappings

  1. Navigate to Enrollment  MS AD Certificate Template Mapping.

  2. Select the template mapping you want to delete, and click the Delete icon.

  3. Click Delete.