Is possible to create CSRs for IIS 6 and use certs resulting wo

Is possible to create CSRs for IIS 6 and use certs resulting wo
"Organization Unit" ?
Perhaps there is a registry hack or OS Policy change, or even if IIS 6
still uses a Metabase perhaps there is a way to tweak IIS to allow an
empty field for "Organization Unit" which is optional on other
servers.

Cany someone in this group please address this issue. Microsoft has
very little out there about its tweaks.

It seems reasonable that there would be a tweak allowing the creation
and use of SSL CSRs without Organization Unit" considered optional in
other web servers.

Am I the only one to ask for this? What is the downside to allowing
CSRs be created without "Organization Unit field values" It seems
rather stupid not to require such a field while the OS has a setting
to allow no password to be used in logins.

Can someone please address this. Maybe someone from Microsoft?

Re: Is possible to create CSRs for IIS 6 and use certs resulting wo

On Jan 3, 5:51=A0am, Rob wrote:
> Is possible to create CSRs for IIS 6 and use certs resulting wo
> "Organization Unit" ?
> Perhaps there is a registry hack or OS Policy change, or even if IIS 6
> still uses a Metabase perhaps =A0there is a way to tweak IIS to allow an
> empty field for "Organization Unit" which is optional on other
> servers.
>
> Cany someone in this group please address this issue. Microsoft has
> very little out there about its tweaks.
>
> It seems reasonable that there would be a tweak allowing the creation
> and use of SSL CSRs without Organization Unit" =A0considered optional in
> other web servers.
>
> Am I the only one to ask for this? What is the downside to allowing
> CSRs be created without "Organization Unit field values" =A0It seems
> rather stupid not to require such a field while the OS has a setting
> to allow no password to be used in logins.
>
> Can someone please address this. Maybe someone from Microsoft?



IIS tweaks are all publicly documented and published on MSDN. Have you
tried the following search terms:

"IIS Registry" yields --
http://technet2.microsoft.com/windowsserver/en/library/e571f b78-ce9a-48f1-9e=
70-f062b8d791ad1033.mspx?mfr=3Dtrue

"IIS Metabase Properties" yields --
http://www.microsoft.com/technet/prodtechnol/WindowsServer20 03/Library/IIS/c=
de669f1-5714-4159-af95-f334251c8cbd.mspx?mfr=3Dtrue

Now, I want to comment on another thing. Since this is a free
newsgroup staffed by volunteers, you cannot *expect* a response. Only
paid support has expected responses. In all other cases, you get what
you get from compassion. This seems perfectly fair to me, in real-life
and online. I just wanted to set this expectation straight since you
were voicing an expectation that seems to be heading down the negative
path of "I hate microsoft because they seem to withhold all the
answers and do not seem to care -- can someone from Microsoft please
answer me?" -- because I just do not think that direction is rational
nor realistic.

There is no registry hack or metabase configuration for the "behavior"
you describe

I can also say that your request for such behavior in IIS has to be
ignored unless you pay say $10 million USD for it (that's the average
cost of adding new features to IIS, accounting for development,
testing, regression, and SUPPORT costs to answer questions for the 10
years of supported lifecycle + additional paid end-of-life support).
Yes, it's not cheap. And yikes, did you know that Microsoft servers
and OSes are supported for at least 10 years? What other web server
gives you that guarantee for similar acquisition price? Remember, Open
Source may have low/no acquisition price, but it also comes with no
guarantee of functionality nor support (in fact, it's pretty much use
at your own risk).

I see no correlation between the OS allowing no passwords and CSRs
allowing no OU other than the word "no". Please explain the apparent
oversight.

The OS password setting is clearly necessary for convenience in the
Home network usage case, where people have isolated home networks with
an external firewall between the outside world and internal computers
that have no passwords. Furthermore, non-password systems do not allow
remote network access by default (but it can be tweaked otherwise). I
consider that design both simple and secure by default, yet can be
tweaked by knowledgeable users for convenience.

Meanwhile, IIS servers are almost by-default going to be facing
traffic from "other users" (unlike OS password setting which is mostly
for home / family usage). I see no problems in requiring OU other than
the fact that someone may choose to have certificates without them.

Basically, the current behavior is "by-design" for very good reasons,
and unless you can come up with a RFC or publicly accepted
specification stating that OU is not required, or something like $10
million USD, there is no rationale for change. The support cost alone
outweighs the benefit.

Hopefully, now you see how the two camps work:
- Closed Source has tighter version control to provide sustainable,
guaranteed support
- Open Source has little version control and no support

The "ideal" user wants guaranteed support and free version control,
offered by neither camp. Hence really, neither is "better" to me -- it
all depends on whether you value support vs version control.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

Re: Is possible to create CSRs for IIS 6 and use certs resulting wo "Organization Unit" ?

"Rob" wrote in message
news:e482f692-b854-4cd6-9467-aa131dd05d19@y5g2000hsf.googleg roups.com...
> Is possible to create CSRs for IIS 6 and use certs resulting wo
> "Organization Unit" ?
> Perhaps there is a registry hack or OS Policy change, or even if IIS 6
> still uses a Metabase perhaps there is a way to tweak IIS to allow an
> empty field for "Organization Unit" which is optional on other
> servers.

You can always create your own certificate signing request using external
tools, web enrollment or other methods, such as writing your own programs.
Getting a CA to sign it will depend on that CA accepting the format of
certificate signing request that you send - they may require that the OU be
present, or they may be comfortable with its absence.

But the key here is that you don't have to generate the certificate using
Microsoft's wizard.

> Cany someone in this group please address this issue. Microsoft has
> very little out there about its tweaks.
>
> It seems reasonable that there would be a tweak allowing the creation
> and use of SSL CSRs without Organization Unit" considered optional in
> other web servers.

There could be tweaks for everything, but you'd have to have a huge hard
drive to store the software, and it'd take hours to boot. Microsoft gives
you a certificate wizard for IIS for your convenience, rather than to
satisfy every possible contingency.

> Am I the only one to ask for this?

Apparently.

> What is the downside to allowing
> CSRs be created without "Organization Unit field values"

I can't immediately think of one, except of course that a client could be
configured to reject certificates that didn't have an OU. What is the
downside to putting "N/A", or repeating the Organisation field, in the OU
field?

> It seems
> rather stupid not to require such a field while the OS has a setting
> to allow no password to be used in logins.

It seems rather stupid to require cars to stop at red lights when airplanes
aren't. No, actually, it doesn't - the two are completely unconnected.

> Can someone please address this. Maybe someone from Microsoft?

Alun.
~~~~