Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How can I create a SSL certificate that has the ability to utilize a "short name" and "FQDN"?

Posted on 2008-10-10
13
Medium Priority
?
1,237 Views
Last Modified: 2008-10-15
What I am looking to do is have a internal cert created by our Enterprise CA that covers both the short name and the FQDN of a server. For example :

1. https://server1 and https://server1.domain.com 
2. https://hostrecord for server1 and https://hostrecord for server1.domain.com
So, say I have a server named "server1" with ip address of 10.0.0.1 and I create a hostrecord called" webserver1" with ip address of 10.0.0.1 and I go to a browser type https://webserver1 and/or https://webserver1.domain.com I can get to a website that was created.

Make sense?
0
Comment
Question by:mjm21
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
13 Comments
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 2000 total points
ID: 22688981
What you are looking for is called a SAN (Subject Alternate Name) and can include multiple values, and can be used for hostnames, FQDNs, IPs, aliases, etc.

You can usually use the certsrv page to do this using the Attributes field, or you can do it if you install the 2003 admin pack to get certreq.exe.

certreq -submit -attrib certificatetemplate:%TemplateName%\nSAN:%SANValues% -config %CA.FQDN%\CAName -f %ReqPath%\%filename.csr% %DestPath%\%CertName%.cer >> SubmitCSR.log

For certsrv, you can combine using either & or /n, for certreq the same applies.  I like to script, so using in a script you have to /n because & is a parsing char for batch files.  Either way, you don't need spaces.


e.g. email: YourEmail@domain.com\n dns: SQLalias.domain.com
email: YourEmail@domain.com
dns: SQLalias.domain.com
dn: CN=hostname,OU=USA,DC=domain,DC=com
ipaddress: 192.168.0.1
0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 2000 total points
ID: 22689003
Personally, for internal things I like to use the hostname for the main name, then the dns, ip, alias, etc. for the SAN values.  I just don't like doing the full DN structure, although you canusually get away with just DN: CN=hostname without all the fluff.
0
 

Author Comment

by:mjm21
ID: 22689381
Thanks member 22688981 and 22689003 I have read about the SAN and I am familiar with using certserv page, rather then the scripting.  However, I agree with the hostname as main name for the main portion of the cert, but I am still unclear what to type in the attributes page under the advanced tab in the certserv.  
0
Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

 

Author Comment

by:mjm21
ID: 22689397
I have also read that you have to prepare the CA for the SAN by typing in this in the command line:

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc
0
 

Author Comment

by:mjm21
ID: 22689411
Sorry ...new to this site....Thanks user Paranormastic!
0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 2000 total points
ID: 22689650
Funny I don't think I've been called by my user number before :)
Yes, the certutil command is needed to do SAN's.

Assuming cert has 'server1' as Subject, then SAN entry into the Attribute field would be:
SAN:dns:server1.domain.com/ndns:webserver1.domain.com/nDN:CN=webserver1/nipaddress:10.0.0.1

note no spaces. you can substitute /n for & if you wish, shouldn't really matter.  the order doesn't really matter, except that it needs to start with SAN:, for some reason some things like to work better with a : than a = and vice versa but technically shouldn't really matter, again I typically script certreq so I'm a little rusty on the quirks of certsrv page.
0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 2000 total points
ID: 22689698
certutil, certreq, and openssl can be your best friend if you are going to be getting into CA stuff for somewhat regular usage.  here is a handy page for a few odd other extensions you may want to consider:
http://technet.microsoft.com/en-us/library/cc740063.aspx
0
 

Author Comment

by:mjm21
ID: 22690004
OK...so:
webserver1.domain.com/nDN:CN=webserver1/nipaddress:10.0.0.1 (This is the alternate name that I created in DNS)
0
 

Author Comment

by:mjm21
ID: 22690129

I guess this is what I mean....and I follow up all the way up to the attribute.....

What I am looking to do is have a cert that covers both the short name and the FQDN of a server. For example https://tombs and https://tombs.olf.com

So if I type either one of the above, I still get to the website even though the "real" server name is say Paranormastic.

I have already created a host record called tombs that point to Paranormastic.....

OH...so webserver1 is the hostname created in DNs that points to server1..... right?

Can I create multiple san's for one cert?  So, how would the atribute read if say we now added webserver2 to the picture.......

And that is all I have to ask.....thanks :)
0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 2000 total points
ID: 22690252
You can add a whole slew of SAN's to the same cert, yes - just string them together with /n or &.  For commercial certs they may charge based on the number you add, but your own CA... I don't know what the limit is offhand but its a whole lot.  You got the general idea, but the main name does not need to be included in the attribute field as that would be in the subject field in the CSR file, the rest would go into the Subject Alternate Name.

You could tecnically add entries for more than one server, say if they were in a cluster responding to the same alias.  If you do this, then create the CSR on server1 and install the cert, then export it using Certificates MMC including private key, then copy it to server2 and install it there.  That way they can both handle the same data properly since they would be sharing the same private key.  

If they are different apps, then you probably want to issue a different cert than having one giant cert.  You could do a wildcard, but if you want to do hostnames and IP addresses, that probably isn't the best option and some apps (e.g. OWA) don't like wildcards much.


0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 2000 total points
ID: 22690317
One thing that we do here is since we issue certs to a very large enterprise sized organization we get requests from all over the place, so we add the Outlook team name or support team email address as a another SAN with the email:IIS.AdminTeam@domain.com or email:"IIS Admin Team" format.  That way, when it comes time to renew it we can email that group (in case the originator moved on from the company we still have a contact).  This would show up in the Subject Alternate Name field as the RFC882 Name:
0
 

Accepted Solution

by:
mjm21 earned 0 total points
ID: 22690436
I will check it out...thanks
0
 

Author Comment

by:mjm21
ID: 22690488
I understand the concetp now.
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction This article explores the design of a cache system that can improve the performance of a web site or web application.  The assumption is that the web site has many more “read” operations than “write” operations (this is commonly the ca…
When it comes to security, close monitoring is a must. According to WhiteHat Security annual report, a substantial number of all web applications are vulnerable always. Monitis offers a new product - fully-featured Website security monitoring and pr…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question