Subject order and missing DC attributes when signing intermediate CA with smallstep (Microsoft CA compatibility issue)

[JannikZorn]

Hello!

• Vote on this issue by adding a 👍 reaction
• If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

Hi everyone,

I’m currently trying to use a smallstep root CA to sign a Microsoft Windows CA as a subordinate CA, but I’m running into issues with the subject field handling.

Here’s my setup:

I created a CSR for the Microsoft CA.
Then I signed it using my smallstep root CA with:

step certificate sign \ --profile intermediate-ca \ intermediate-ms.csr \ /etc/step-ca/certs/root_ca.crt \ /etc/step-ca/secrets/root_ca_key

Initially, the resulting certificate was missing required extensions like:

CDP (CRL Distribution Point)
AIA (Authority Information Access)

So I created a custom template:

{ "subject": {{ toJson .Insecure.CR.Subject }}, "sans": {{ toJson .SANs }}, "issuingCertificateURL": "http://xxx/root.crt", {{- if typeIs "*rsa.PublicKey" .Insecure.CR.PublicKey }} "keyUsage": ["keyEncipherment", "digitalSignature"], {{- else }} "keyUsage": ["digitalSignature"], {{- end }} "extKeyUsage": ["serverAuth", "clientAuth"], "basicConstraints": { "isCA": true, "maxPathLen": 0 }, "crlDistributionPoints": [ "http://xxx/root.crl" ] }

With this template, the extensions are now correct and accepted.

However, I’m facing a new issue with the subject:

In my CSR (.req), the subject looks like this:

CN=abc, DC=def, DC=ghi

When I use:

"subject": {{ toJson .Insecure.CR.Subject }}

the subject in the issued certificate becomes:

DC=ghi, DC=def, CN=abc

→ so all attributes are present, but the order is reversed.
If I instead use:

"subject": {{ toJson .Subject }}

then the resulting certificate only contains:

CN=abc

which makes sense because the template overrides the subject and only includes the CN.

Problem:
Microsoft CA seems to reject the certificate when the subject order is changed, even though the same attributes are present.

According to the documentation and discussions (e.g. issue #718), I expected .Insecure.CR.Subject to preserve the subject exactly as defined in the CSR — including the order — but that does not seem to be the case.

Questions:

Is the reordering of subject attributes when using .Insecure.CR.Subject expected behavior?
Is there any way to preserve the exact original subject order from the CSR?
Has anyone successfully used smallstep to sign a Microsoft subordinate CA certificate without running into this issue?

Any help would be greatly appreciated — I’m currently stuck on this.

Thanks!

Why is this needed?

The .Insecure.CR.Subject Option in templates doesn't work like it should.

[hslatman]

Hey @JannikZorn,

I'm not aware of other users running into this issue. Generally people are going the other way while migrating away from or in co-operation with ADCS: signing an intermediate off of ADCS, and use that with step-ca. What is your use case, exactly?

It seems this may be some quirk with ADCS, potentially doing a form of strict string comparison on the subject. We don't have much time to look into this now ourselves, but we'd be open to contributions, assuming the changes are not too invasive.