How to find CA host name from CA common/sanitized name?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
Windows environment, ADCS and .Net application.
Given a certificate, from the Issuer attribute you can find the common name of the CA (like "My Issuing CA"), but not the hostname (issca.example.com).
How does one retrieve the hostname, in order to create the config string "issca.example.comMy Issuing CA"? Is that solely from an LDAP lookup (from Services/Public Key Services/Certification Authorities) or are there other ways?
What if, over time you have upgraded your CA (keeping it's common name, but changed the hostname to say newca), would one Always find "newca.example.comMy Issuing CA" or also "issca.example.comMy Issuing CA" e.g. for certificates issued before the upgrade?
We have an application which does exactly that (try to RPC to the old host name, which has disappeared from the network). We 'fixed' this by adding a DNS CNAME for issca to point to newca and also added SPNs of the old host to the new one. We suspect the application itself keeps a registration of which certificate was issued by which host, but the vendor denies that.
(And yes - it is a Microsoft supported scenario to change the hostname when upgrading/migrating a CA Microsoft docs
certificate ca revoke
asked Nov 16 '18 at 14:06
AndrePKIAndrePKI
12
add a comment |
Windows environment, ADCS and .Net application.
Given a certificate, from the Issuer attribute you can find the common name of the CA (like "My Issuing CA"), but not the hostname (issca.example.com).
How does one retrieve the hostname, in order to create the config string "issca.example.comMy Issuing CA"? Is that solely from an LDAP lookup (from Services/Public Key Services/Certification Authorities) or are there other ways?
What if, over time you have upgraded your CA (keeping it's common name, but changed the hostname to say newca), would one Always find "newca.example.comMy Issuing CA" or also "issca.example.comMy Issuing CA" e.g. for certificates issued before the upgrade?
We have an application which does exactly that (try to RPC to the old host name, which has disappeared from the network). We 'fixed' this by adding a DNS CNAME for issca to point to newca and also added SPNs of the old host to the new one. We suspect the application itself keeps a registration of which certificate was issued by which host, but the vendor denies that.
(And yes - it is a Microsoft supported scenario to change the hostname when upgrading/migrating a CA Microsoft docs
certificate ca revoke
asked Nov 16 '18 at 14:06
AndrePKIAndrePKI
12
add a comment |
Windows environment, ADCS and .Net application.
Given a certificate, from the Issuer attribute you can find the common name of the CA (like "My Issuing CA"), but not the hostname (issca.example.com).
How does one retrieve the hostname, in order to create the config string "issca.example.comMy Issuing CA"? Is that solely from an LDAP lookup (from Services/Public Key Services/Certification Authorities) or are there other ways?
What if, over time you have upgraded your CA (keeping it's common name, but changed the hostname to say newca), would one Always find "newca.example.comMy Issuing CA" or also "issca.example.comMy Issuing CA" e.g. for certificates issued before the upgrade?
We have an application which does exactly that (try to RPC to the old host name, which has disappeared from the network). We 'fixed' this by adding a DNS CNAME for issca to point to newca and also added SPNs of the old host to the new one. We suspect the application itself keeps a registration of which certificate was issued by which host, but the vendor denies that.
(And yes - it is a Microsoft supported scenario to change the hostname when upgrading/migrating a CA Microsoft docs
certificate ca revoke
asked Nov 16 '18 at 14:06
AndrePKIAndrePKI
12
Windows environment, ADCS and .Net application.
Given a certificate, from the Issuer attribute you can find the common name of the CA (like "My Issuing CA"), but not the hostname (issca.example.com).
How does one retrieve the hostname, in order to create the config string "issca.example.comMy Issuing CA"? Is that solely from an LDAP lookup (from Services/Public Key Services/Certification Authorities) or are there other ways?
What if, over time you have upgraded your CA (keeping it's common name, but changed the hostname to say newca), would one Always find "newca.example.comMy Issuing CA" or also "issca.example.comMy Issuing CA" e.g. for certificates issued before the upgrade?
We have an application which does exactly that (try to RPC to the old host name, which has disappeared from the network). We 'fixed' this by adding a DNS CNAME for issca to point to newca and also added SPNs of the old host to the new one. We suspect the application itself keeps a registration of which certificate was issued by which host, but the vendor denies that.
(And yes - it is a Microsoft supported scenario to change the hostname when upgrading/migrating a CA Microsoft docs
certificate ca revoke
certificate ca revoke
asked Nov 16 '18 at 14:06
AndrePKIAndrePKI
12
asked Nov 16 '18 at 14:06
AndrePKIAndrePKI
12
asked Nov 16 '18 at 14:06
AndrePKIAndrePKI
12
asked Nov 16 '18 at 14:06
AndrePKIAndrePKI
12
asked Nov 16 '18 at 14:06
AndrePKIAndrePKI
12
12
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53339418%2fhow-to-find-ca-host-name-from-ca-common-sanitized-name%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53339418%2fhow-to-find-ca-host-name-from-ca-common-sanitized-name%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
