Approval for Certificate Template SANs in AD Services
Approval is needed before using certificate templates that let you specify extra names.
Plain language
If your business uses certificates to secure communications, it's crucial to have someone approve the templates that allow adding extra identifying information. Without this approval, you might mistakenly trust incorrect details, which could lead to data leaks or fraud.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
CA Certificate Manager approval is required for certificate templates that allow a Subject Alternative Name to be supplied.
Why it matters
Unapproved SANs in AD CS certificate templates can enable issuance for unauthorised hostnames, supporting spoofing and man-in-the-middle attacks.
Operational notes
Ensure templates that permit requester-supplied SANs require CA Certificate Manager approval; periodically revalidate approvals and remove or restrict unnecessary SAN-enabled templates.
Implementation tips
- IT team should identify certificate templates that allow extra names: Create a list of all certificate templates in use that have the option to add Subject Alternative Names. This will help you know which templates need special attention.
- IT manager should assign a Certificate Manager: Appoint a specific person to be responsible for reviewing and approving certificate templates with extra names. This ensures there’s one go-to person for any approvals.
- Certificate Manager should review requests: When someone requests a certificate using one of the identified templates, the Certificate Manager should carefully verify whether the extra names are necessary and accurate. Use a checklist to ensure all names are legitimate and needed.
- System owner should maintain a record of approved templates: Keep a document that notes each approved template and any relevant details about its use. This record helps track what has been reviewed and prevents rework.
- IT security officer should conduct regular reviews: Schedule routine checks every six months to ensure compliance with this control. This will help catch any missed approvals and adjust practices as needed.
Audit / evidence tips
-
Askthe list of certificate templates in use: Request documentation that lists all certificate templates being used within the organisation
Goodwill have a clear list of those templates with a date of creation and last review
-
Askthe approval records from the Certificate Manager: Ensure there are approval logs for all certificate templates allowing extra names
Goodrecord contains the date of approval and the rationale for each decision
-
Aska copy of the checklist used for verification: Request the template checklist that the Certificate Manager uses when approving certificates
Goodchecklist has clear criteria filled in for each reviewed item
-
Askevidence of the assignment of the Certificate Manager role: Obtain documentation such as an appointment letter or an internal memo confirming who is responsible for approvals
Gooddocumentation will have clear lines of responsibility and qualifications listed
-
Askrecords of reviews conducted by the IT security officer: Request the reports or minutes from the last few reviews of the certificate process
Goodincludes a summary of findings and actions taken, with dates and responsible persons
Cross-framework mappings
How ISM-1948 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.32 | ISM-1948 requires CA Certificate Manager approval before using AD CS certificate templates that permit requester-supplied Subject Alterna... | |
| handshake Supports (2) expand_less | ||
| Annex A 5.18 | ISM-1948 requires CA Certificate Manager approval for certificate templates that allow a supplied SAN, reducing the risk of unauthorised ... | |
| Annex A 8.2 | ISM-1948 requires CA Certificate Manager approval before enabling certificate templates that let requesters supply SANs, limiting a commo... | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (2) expand_less | ||
| E8-RA-ML3.1 | ISM-1948 mandates CA Certificate Manager approval for SAN-supplying certificate templates, constraining who can enable potentially abusab... | |
| E8-RA-ML3.3 | ISM-1948 requires an explicit CA Certificate Manager approval step before enabling SAN-supplying certificate templates in AD CS | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.