I am building a PKI with the plan of becoming cross certified with an external bridge in the future. The required Distinguished Name (DN) for cross-certification is different than the internal AD OU structure and the issue is that I want to publish 2 certificates to the users' AD accounts one for Smart Card Logon and the second for Encryption.
The internal AD DN for the users is as follows:
CN=John Q. Doe, OU=Users, OU=Company Nickname, DC=Company, DC=Local
The acceptable formats for the cross-certifying entity are:
CN=John Q. Doe, OU=Users, O=Company, C=US
or
CN=John Q. Doe, OU=Users, DC=Company Name, DC=com
We are using a third party enrollment system for smart cards (Entrust Identity Guard). Is there a way to map those certificates to the appropriate user or device. My hope was using the Subject Alternative Name (SAN) "Directory Address" might help??
Any other suggestions?