Hello there,
we have a root CA imported to our Access Manager.
There we can set the identity part to either: Common Name or RFC822(mail):
If we want to authenticate with device certificates we need the Common Name as identity.
Obviously our non domain devices will use the device certificate with their DNS as CN. It is impossible to use the RFC822 field for device certificates as a printer/phone does not have an email address.
If we want to authenticate with user certificates we need the RFC822 as identity because of Entra ID lookup.
The windows CA can not fill the CN field with the email address for entra ID lookup.
So we have to use the SAN in the certificate and fill in the email address.
How can we achieve a setup where we can use both of the methods?
Ideally we also want domain joind devices to use cert-based out before the user logon.
Possible solutions we already discussed:
- Use a second CA for different auth methods -> Not smart
- Messed up the user cert creation to use the email as common name -> Not possible to automate with cert rollout and not recommended from Microsoft
Best regards
Philipp
I originally set up something like this using Intune Cloud PKI. I configured it using the Common Name.
This is the certificate template I used for users:
This is the certificate template I used for computers:
I don't have access to a Windows CA at the moment, but I would duplicate the "Computer" (and maybe "User" template). In one of the tabs, there's an option to add extra fields to the certificate. Try adding fields to the Common Name like above.
