Summary:
Network Device Enrollment (NDE) allows certificates to be placed into specific Policy containers based on x509 fields of the certificate request. This article describes the process of configuring these options.
More Information:
- Navigate to the Platforms tree
- Click on the Engine object (the name of the director server)
- Click on the Rules tab
- Enable the option 'Allow x.509 Subject Container Rules'
- Click the 'Add' button
- Choose the location in the Policy tree to place the certificates
- In the pop up box choose the drop down for 'Use container if '
- The options available are:
- Any x.509 field
- Common Name
- Organization
- OU
- City
The second options are:
- starts with
- matches
- contains
With the final option being the value to be evaluated.
Here are some examples:
Common Name starts with b:
A request comes in with CN=blueox.non-corp.com,O=non-corp.com,OU=finance,S=CA,C=US
this would match the evaluation and the certificate would be placed in that policy.
OU matches HR:
A request comes in with CN=voip.non-corp.com,O=non-corp.com,OU=HR,S=CA,C=US
this would match the evaluation and the certificate would be placed in that policy.
Organization contains bank:
A request comes in with CN=vault.non-corp.com,O=big bank,inc,OU=security,S=CA,C=US
this would match the evaluation and the certificate would be placed in that policy.
Note: As you add the rules they will be evaluated from the top down, so if you have a rule that evaluates on the common name above a rule for the organization, the first rule will take the certificate. When you create the rules it would be best to keep it simple.
10. Restart the IIS service
Comments