Change the order of the Relative Distinguished Names (RDNs) in the subject of issued certificates.

The Microsoft Certification Authority accepts subjects from certificate requests for templates in which their specification by the requester is allowed, not 1:1 in the issued certificate.

Instead, both is defined, which Relative Distinguished Names (RDNs) are allowedas well as in which order they are written to issued certificates. However, this order can be changed. How this is done is explained below.

There are applications that compare the subject of the issued certificate with the submitted certificate request. If the order of the Relative Distinguished Names is changed, certificate requests may fail. An example of this is the SSCEP Client for Linuxwhich is often used in thin clients, among other things. Likewise, the Appx package signature affected.

Determine the current settings

The currently configured order can be checked with the following command line command on the certification authority:

certutil -v -getreg CA\SubjectTemplate

The order is as follows in the default setting:

  • EMail
  • CommonName
  • OrganizationalUnit
  • Organization
  • Locality
  • State
  • DomainComponent
  • Country

Does the Certification Authority operate a registration service for network devices (Network Device Enrollment Service, NDES), the following RDNs are also defined:

  • UnstructuredName
  • UnstructuredAddress
  • DeviceSerialNumber

Change the order

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem and is available under a free license. It can downloaded via GitHub and can be used free of charge.

When changing by copy/paste with the registry editor, it may happen that the registry value is no longer readable and the certification authority does not start. In this case, it will delete the Event no. 19 log.

The change of the sequence is preferably done via the command line. Here, all values are entered in a line, separated by the character for the line break one after the other.


certutil -setreg CA\SubjectTemplate "EMail\nCommonName\nOrganizationalUnit\nOrganization\nLocality\nState\nDomainComponent\nCountry"

The Certification Authority service must then be restarted for the changes to be applied.

Alternative: Disable new formation of the subject when the certificate is issued.

The certification authority can also be configured to accept the requested RDNs without modification. See article "Use of undefined Relative Distinguished Names (RDN) in issued certificates„.

Related links: