Follow

How to: Use NDE to organize certs based on x509 fields in the request

Summary:

Network Device Enrollment (NDE) allows certificates to be placed into specific Policy containers based on x509 fields of the certificate request. This article describes the process of configuring these options.

More Information:

  1. Navigate to the Platforms tree
  2. Click on the Engine object (the name of the director server)
  3. Click on the Rules tab
  4. Enable the option 'Allow x.509 Subject Container Rules'
  5. Click the 'Add' button
  6. Choose the location in the Policy tree to place the certificates
  7. In the pop up box choose the drop down for 'Use container if '
  8. The options available are:
  • Any x.509 field
  • Common Name
  • Organization
  • OU
  • City

        The second options are:

  • starts with
  • matches
  • contains

        With the final option being the value to be evaluated.

 

Here are some examples:

Common Name starts with b:

CN_starts_with_b.PNG

A request comes in with CN=blueox.non-corp.com,O=non-corp.com,OU=finance,S=CA,C=US

this would match the evaluation and the certificate would be placed in that policy.

 

OU matches HR:

OU_matches_HR.PNG

A request comes in with CN=voip.non-corp.com,O=non-corp.com,OU=HR,S=CA,C=US

this would match the evaluation and the certificate would be placed in that policy.

 

Organization contains bank:

Org_contains_bank.PNG

A request comes in with CN=vault.non-corp.com,O=big bank,inc,OU=security,S=CA,C=US

this would match the evaluation and the certificate would be placed in that policy.

 

Note: As you add the rules they will be evaluated from the top down, so if you have a rule that evaluates on the common name above a rule for the organization, the first rule will take the certificate. When you create the rules it would be best to keep it simple.

 

   10. Restart the IIS service

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk