Device certificate profile with SAN DNS= {{FullyQualifiedDomainName}} doesn't work

%3CLINGO-SUB%20id%3D%22lingo-sub-1252234%22%20slang%3D%22en-US%22%3EDevice%20certificate%20profile%20with%20SAN%20DNS%3D%20%7B%7BFullyQualifiedDomainName%7D%7D%20doesn't%20work%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1252234%22%20slang%3D%22en-US%22%3E%3CP%3EI've%20created%20a%20certificate%20profile%20to%20push%20device%20certificates%20to%20Windows%2010%20computers.%26nbsp%3B%20After%20struggling%20with%20the%20certificate%20requests%20failing%20for%20a%20while%2C%20I%20finally%20got%20it%20to%20issue%20certificates%2C%20but%20one%20of%20the%20SANs%20is%20missing.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EInitially%20the%20profile%20was%20set%20to%20use%20a%20Subject%20name%20of%20%7B%7BAADdeviceID%7D%7D%2C%20with%20a%20SAN%20of%20DNS%3D%7BFullyQualifiedDomainName%7D%7D.%26nbsp%3B%20What%20seems%20to%20have%20got%20it%20working%20is%20to%20add%20a%20second%20SAN%20of%20DNS%3D%7B%7BDeviceName%7D%7D%2C%20but%20looking%20at%20the%20certificate%20that%20was%20issued%2C%20it%20has%20only%20the%20second%20SAN.%26nbsp%3B%20The%20FQDN%20is%20not%20listed%20anywhere%20on%20the%20certificate.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EHas%20anyone%20set%20up%20a%20PKCS%20certificate%20profile%20that%20successfully%20issues%20device%20certificates%20with%20the%20FQDN%20as%20a%20subject%20name%20or%20SAN%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20would%20cause%20the%20certificate%20to%20be%20issued%20without%20the%20additional%20SAN%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1252234%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ENDES%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Regular Contributor

I've created a certificate profile to push device certificates to Windows 10 computers.  After struggling with the certificate requests failing for a while, I finally got it to issue certificates, but one of the SANs is missing.  

 

Initially the profile was set to use a Subject name of {{AADdeviceID}}, with a SAN of DNS={FullyQualifiedDomainName}}.  What seems to have got it working is to add a second SAN of DNS={{DeviceName}}, but looking at the certificate that was issued, it has only the second SAN.  The FQDN is not listed anywhere on the certificate.  


Has anyone set up a PKCS certificate profile that successfully issues device certificates with the FQDN as a subject name or SAN?  

 

What would cause the certificate to be issued without the additional SAN?

0 Replies