Block Subject Alternative Names in ADCS

Question

I am managing a Windows 2008 ADCS CA and have been aware of the security risks in issuing certificates with SANs. So I tested issuing a PKCS10 file with SANs in the request and it issued the certificate with the SANs when it's supposed to be blocked.

To be sure, I used the command certutil -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2 (notice the minus) to remove the SAN flag if it was present and it wasn't. Image

This does however, block adding SANs from the additional request attributes when using something like this: san:dns=webmail.domainc.com&dns=mail.domainc.com&dns=autodiscover.domainc.com

So is there a way to completely block SANs from issued certificates regardless of where they are specified?

Answer 1

Well, actually you already did what you should do in order to prevent unathorized subject name injection in certificate through automatic request approval. As long as SAN extension is authenticated (embedded in the CSR) it is ok to have SAN extension. Mark Henderson was correct in his comment, you incorrectly understand the issue. The real issue is not with SAN, but how it is added to CSR. And it is bad to allow SAN from unauthenticated attributes, because they are processed and included in certificate without validation.

What else you can do: require CA manager approval for all certificate templates that use subject value from incoming request (not from Active Directory). SAN value inspection for untrusted sources is still necessary. There is no need to do this for templates that build subject automatically from AD, because these templates will completely ignore subject information contained in the request, therefore they are not affected.