IIS Server Security - Re: Is possible to create CSRs for IIS 6 and use certs resulting wo "Organization

This is Interesting: Free IT Magazines  
Home > Archive > IIS Server Security > January 2008 > Re: Is possible to create CSRs for IIS 6 and use certs resulting wo "Organization





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author Re: Is possible to create CSRs for IIS 6 and use certs resulting wo "Organization
Alun Jones

2008-01-04, 1:27 pm

"Rob" <rss245@gmail.com> wrote in message
news:e482f692-b854-4cd6-9467-aa131dd05d19@y5g2000hsf.googlegroups.com...
> Is possible to create CSRs for IIS 6 and use certs resulting wo
> "Organization Unit" ?
> Perhaps there is a registry hack or OS Policy change, or even if IIS 6
> still uses a Metabase perhaps there is a way to tweak IIS to allow an
> empty field for "Organization Unit" which is optional on other
> servers.

You can always create your own certificate signing request using external
tools, web enrollment or other methods, such as writing your own programs.
Getting a CA to sign it will depend on that CA accepting the format of
certificate signing request that you send - they may require that the OU be
present, or they may be comfortable with its absence.

But the key here is that you don't have to generate the certificate using
Microsoft's wizard.

> Cany someone in this group please address this issue. Microsoft has
> very little out there about its tweaks.
>
> It seems reasonable that there would be a tweak allowing the creation
> and use of SSL CSRs without Organization Unit" considered optional in
> other web servers.

There could be tweaks for everything, but you'd have to have a huge hard
drive to store the software, and it'd take hours to boot. Microsoft gives
you a certificate wizard for IIS for your convenience, rather than to
satisfy every possible contingency.

> Am I the only one to ask for this?

Apparently.

> What is the downside to allowing
> CSRs be created without "Organization Unit field values"

I can't immediately think of one, except of course that a client could be
configured to reject certificates that didn't have an OU. What is the
downside to putting "N/A", or repeating the Organisation field, in the OU
field?

> It seems
> rather stupid not to require such a field while the OS has a setting
> to allow no password to be used in logins.

It seems rather stupid to require cars to stop at red lights when airplanes
aren't. No, actually, it doesn't - the two are completely unconnected.

> Can someone please address this. Maybe someone from Microsoft?

Alun.
~~~~


Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2008 webservertalk.com