Mapping MS AD certificate templates

Add a certificate template mapping

SSL certificates
Client certificates
Device certificates

Navigate to Enrollment MS AD Certificate Template Mapping.
Click the Add icon.

Complete the Add MS AD Certificate Template Mapping fields based on the information provided in the following table.

Column	Description
MS AD Template
MS Agent	The MS agent through which certificate requests are brought from MS AD to SCM
MS AD Template	The MS AD certificate template configured on the AD server
Certificate
Certificate Type	The type of certificate that is requested using this template For SSL certificates the value must be SSL Certificate.
Term	The validity period configured for the selected Sectigo certificate profile in SCM
Certificate Profile	The Sectigo certificate profile configured to be issued when a certificate request is brought into SCM by the selected MS agent
Attributes Mapping	The mapping of attributes brought from MS AD to the associated values in SCM certificate profiles Attribute mapping is not available for SSL certificates.
Term	The validity period of the certificate, as defined in the selected template
Key Usage	Key usage defined in the selected MS AD certificate template
Extended Key Usage	Extended key usage defined in the selected MS AD certificate template

Column

Description

MS AD Template

MS Agent

The MS agent through which certificate requests are brought from MS AD to SCM

MS AD Template

The MS AD certificate template configured on the AD server

Certificate

Certificate Type

The type of certificate that is requested using this template

For SSL certificates the value must be SSL Certificate.

Term

The validity period configured for the selected Sectigo certificate profile in SCM

Certificate Profile

The Sectigo certificate profile configured to be issued when a certificate request is brought into SCM by the selected MS agent

Attributes Mapping

The mapping of attributes brought from MS AD to the associated values in SCM certificate profiles

Attribute mapping is not available for SSL certificates.

Term

The validity period of the certificate, as defined in the selected template

Key Usage

Key usage defined in the selected MS AD certificate template

Extended Key Usage

Extended key usage defined in the selected MS AD certificate template

Click Save.

Navigate to Enrollment MS AD Certificate Template Mapping.
Click the Add icon.

Complete the Add MS AD Certificate Template Mapping fields based on the information provided in the following table.

Column	Description
MS AD Template
MS Agent	The MS agent through which certificate requests are brought from MS AD to SCM
MS AD Template	The MS AD certificate template configured on the AD server
Certificate
Certificate Type	The type of certificate that is requested using this template For Client certificates the value must be Client Certificate.
Term	The validity period configured for the selected Sectigo certificate profile in SCM
Certificate Profile	The Sectigo certificate profile configured to be issued when a certificate request is brought into SCM by the selected MS agent
Attributes Mapping	The mapping of attributes brought from MS AD to the associated values in SCM certificate profiles This mapping can override settings specified in the MS AD Certificate Template.
Term	The validity period of the certificate, as defined in the selected template
Key Usage	Key usage defined in the selected MS AD certificate template
Extended Key Usage	Extended key usage defined in the selected MS AD certificate template

Column

Description

MS AD Template

MS Agent

The MS agent through which certificate requests are brought from MS AD to SCM

MS AD Template

The MS AD certificate template configured on the AD server

Certificate

Certificate Type

The type of certificate that is requested using this template

For Client certificates the value must be Client Certificate.

Term

The validity period configured for the selected Sectigo certificate profile in SCM

Certificate Profile

The Sectigo certificate profile configured to be issued when a certificate request is brought into SCM by the selected MS agent

Attributes Mapping

The mapping of attributes brought from MS AD to the associated values in SCM certificate profiles

This mapping can override settings specified in the MS AD Certificate Template.

Term

The validity period of the certificate, as defined in the selected template

Key Usage

Key usage defined in the selected MS AD certificate template

Extended Key Usage

Extended key usage defined in the selected MS AD certificate template

(Optional) customize the attributes mapping.

Click Customize Attributes.

Complete the Attributes Mapping fields based on the information provided in the following table.

Field	Description
Attribute	Indicates the terms used by SCM The default attributes are: Common Name — The domain to which the certificate is to be issued An email can also be included in the CN field. The maximum allowed character length for this field is 64. DNS — DNS hostname Department Name — The name of the department in which the end-user works Email — The email address of the end-user If this attribute is mapped and Send to CA is selected, the end-user’s email address is included in the certificate’s Subject and SAN fields. First Name — The end-user’s first name Last Name — The end-user’s surname Organization Name — The name of the company for which the end-user works SPN — The unique identifier of the service instance Secondary Email — Additional email address for the end-user UPN — The email address that should appear as principal name in the certificate to be issued Client certificates issued to end-users of organizations or departments with principal name support enabled (the option is off by default) include a Principal Name, in addition to the RFC 822 name, in the SAN field.
Value	Indicates the equivalent terms used in MS AD or a static value unrelated to MS AD When you start typing a value, a list of suggested AD attributes is populated. If a static value is used, it must be enclosed in quotation marks.
Send to CA	Enables attributes to be included (selected) or excluded from (not selected) the transition of the incoming request to the CA If a check box is disabled (grayed out), it means that the attribute is mandatory for the CA and must be included in the request. In case of device certificates, all customized attributes are sent to CA.
Add	Adds an SCM attribute to be mapped Duplicate attributes are not permitted.
Reset To Default	Resets all attributes and values to the default customized mapping
Remove	Prevents the attribute from being populated in the Person profile and from being included in the certificate request sent to Sectigo Some attributes represent a mandatory detail of the connected Person profile and cannot be deleted.

Field

Description

Attribute

Indicates the terms used by SCM

The default attributes are:

Common Name — The domain to which the certificate is to be issued

An email can also be included in the CN field. The maximum allowed character length for this field is 64.
DNS — DNS hostname
Department Name — The name of the department in which the end-user works
Email — The email address of the end-user

If this attribute is mapped and Send to CA is selected, the end-user’s email address is included in the certificate’s Subject and SAN fields.
First Name — The end-user’s first name
Last Name — The end-user’s surname
Organization Name — The name of the company for which the end-user works
SPN — The unique identifier of the service instance
Secondary Email — Additional email address for the end-user
UPN — The email address that should appear as principal name in the certificate to be issued

Client certificates issued to end-users of organizations or departments with principal name support enabled (the option is off by default) include a Principal Name, in addition to the RFC 822 name, in the SAN field.

Value

Indicates the equivalent terms used in MS AD or a static value unrelated to MS AD

When you start typing a value, a list of suggested AD attributes is populated. If a static value is used, it must be enclosed in quotation marks.

Send to CA

Enables attributes to be included (selected) or excluded from (not selected) the transition of the incoming request to the CA

If a check box is disabled (grayed out), it means that the attribute is mandatory for the CA and must be included in the request. In case of device certificates, all customized attributes are sent to CA.

Add

Adds an SCM attribute to be mapped

Duplicate attributes are not permitted.

Reset To Default

Resets all attributes and values to the default customized mapping

Remove

Prevents the attribute from being populated in the Person profile and from being included in the certificate request sent to Sectigo

Some attributes represent a mandatory detail of the connected Person profile and cannot be deleted.

Click Save.

Click Save.

Navigate to Enrollment MS AD Certificate Template Mapping.
Click the Add icon.

Complete the Add MS AD Certificate Template Mapping fields based on the information provided in the following table.

Column	Description
MS AD Template
MS Agent	The MS agent through which certificate requests are brought from MS AD to SCM
MS AD Template	The MS AD certificate template configured on the AD server
Certificate
Certificate Type	The type of certificate that is requested using this template For Device certificates the value must be Device Certificate.
Term	The validity period configured for the selected Sectigo certificate profile in SCM
Certificate Profile	The Sectigo certificate profile configured to be issued when a certificate request is brought into SCM by the selected MS agent
Attributes Mapping	The mapping of attributes brought from MS AD to the associated values in SCM certificate profiles This mapping can override settings specified in the MS AD Certificate Template.
Term	The validity period of the certificate, as defined in the selected template
Key Usage	Key usage defined in the selected MS AD certificate template
Extended Key Usage	Extended key usage defined in the selected MS AD certificate template

Column

Description

MS AD Template

MS Agent

The MS agent through which certificate requests are brought from MS AD to SCM

MS AD Template

The MS AD certificate template configured on the AD server

Certificate

Certificate Type

The type of certificate that is requested using this template

For Device certificates the value must be Device Certificate.

Term

The validity period configured for the selected Sectigo certificate profile in SCM

Certificate Profile

The Sectigo certificate profile configured to be issued when a certificate request is brought into SCM by the selected MS agent

Attributes Mapping

The mapping of attributes brought from MS AD to the associated values in SCM certificate profiles

This mapping can override settings specified in the MS AD Certificate Template.

Term

The validity period of the certificate, as defined in the selected template

Key Usage

Key usage defined in the selected MS AD certificate template

Extended Key Usage

Extended key usage defined in the selected MS AD certificate template

(Optional) customize the attributes mapping.

Click Customize Attributes.

Complete the Attributes Mapping fields based on the information provided in the following table.

Field	Description
Attribute	Indicates the terms used by SCM The default attributes are: DNS Name — DNS hostname Email address — The email address of the end-user RFC 822 name — The email address of the end-user included in the certificate’s SAN Service principal name — The unique identifier of the service instance User principal name — The email address that should appear as principal name in the certificate to be issued
Value	Indicates the equivalent terms used in MS AD or a static value unrelated to MS AD When you start typing a value, a list of suggested AD attributes is populated. If a static value is used, it must be enclosed in quotation marks.
Add	Adds an SCM attribute to be mapped Duplicate attributes are not permitted.
Reset To Default	Resets all attributes and values to the default customized mapping
Remove	Prevents the attribute from being populated in the Person profile and from being included in the certificate request sent to Sectigo Some attributes represent a mandatory detail of the connected Person profile and cannot be deleted.

Field

Description

Attribute

Indicates the terms used by SCM

The default attributes are:

DNS Name — DNS hostname
Email address — The email address of the end-user
RFC 822 name — The email address of the end-user included in the certificate’s SAN
Service principal name — The unique identifier of the service instance
User principal name — The email address that should appear as principal name in the certificate to be issued

Value

Indicates the equivalent terms used in MS AD or a static value unrelated to MS AD

When you start typing a value, a list of suggested AD attributes is populated. If a static value is used, it must be enclosed in quotation marks.

Add

Adds an SCM attribute to be mapped

Duplicate attributes are not permitted.

Reset To Default

Resets all attributes and values to the default customized mapping

Remove

Prevents the attribute from being populated in the Person profile and from being included in the certificate request sent to Sectigo

Some attributes represent a mandatory detail of the connected Person profile and cannot be deleted.

Click Save.

Click Save.