how can i differentiate my "machine certificates" -- they all say "administrator

[wes]

Set up a win2003 RRAS server to do l2tp/ipsec vpn with
the newly updated win2k/xp nat-T aware client.
everything works great, I'm using one of my DCs as an
enterprise CA to deploy the certs.

the only problem is, the instructions have me use certsrv
to deploy the certs to each client machine, and it issues
them to the domain admin account "administrator" that i
use to generate the certs. so when i go to the CA and
look up the issued certs, they all say "administrator"
and there is no easy way for me to distinguish which cert
maps to which machine. this will make it difficult to
quickly revoke a cert for a lost or stolen machine.

anyone know how i can somehow generate the certs in a way
that will make it easy to tell which machine they are
issued to?

thanks much,
Wes

 

[Vishal Agarwal[MSFT]]

1. Are you sure you are using the correct snap-in? For client machine
certificates, you have to use "Local Computer" Certificate snap-in. If you
do so, the name for "Issued For" should be the machine name.

Unless you have used some custom mechanism to generate the request, the
request generated by mmc or web enrollment, will have an attribute
"ccm:MACHINENAME". In the CA-snapin, if you right click on an issued
certificate, you should get an option to view Attributes/Extension, clicking
on it, should show you the tab for attributes. In the attribute list you can
look at ccm attribute.

Hope it helps,
Vishal[MSFT]