Solved

How can I create a SSL certificate that has the ability to utilize a "short name" and "FQDN"?

Posted on 2008-10-10
13
1,145 Views
Last Modified: 2008-10-15
What I am looking to do is have a internal cert created by our Enterprise CA that covers both the short name and the FQDN of a server. For example :

1. https://server1 and https://server1.domain.com 
2. https://hostrecord for server1 and https://hostrecord for server1.domain.com
So, say I have a server named "server1" with ip address of 10.0.0.1 and I create a hostrecord called" webserver1" with ip address of 10.0.0.1 and I go to a browser type https://webserver1 and/or https://webserver1.domain.com I can get to a website that was created.

Make sense?
0
Comment
Question by:mjm21
  • 7
  • 6
13 Comments
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 500 total points
ID: 22688981
What you are looking for is called a SAN (Subject Alternate Name) and can include multiple values, and can be used for hostnames, FQDNs, IPs, aliases, etc.

You can usually use the certsrv page to do this using the Attributes field, or you can do it if you install the 2003 admin pack to get certreq.exe.

certreq -submit -attrib certificatetemplate:%TemplateName%\nSAN:%SANValues% -config %CA.FQDN%\CAName -f %ReqPath%\%filename.csr% %DestPath%\%CertName%.cer >> SubmitCSR.log

For certsrv, you can combine using either & or /n, for certreq the same applies.  I like to script, so using in a script you have to /n because & is a parsing char for batch files.  Either way, you don't need spaces.


e.g. email: YourEmail@domain.com\n dns: SQLalias.domain.com
email: YourEmail@domain.com
dns: SQLalias.domain.com
dn: CN=hostname,OU=USA,DC=domain,DC=com
ipaddress: 192.168.0.1
0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 500 total points
ID: 22689003
Personally, for internal things I like to use the hostname for the main name, then the dns, ip, alias, etc. for the SAN values.  I just don't like doing the full DN structure, although you canusually get away with just DN: CN=hostname without all the fluff.
0
 

Author Comment

by:mjm21
ID: 22689381
Thanks member 22688981 and 22689003 I have read about the SAN and I am familiar with using certserv page, rather then the scripting.  However, I agree with the hostname as main name for the main portion of the cert, but I am still unclear what to type in the attributes page under the advanced tab in the certserv.  
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:mjm21
ID: 22689397
I have also read that you have to prepare the CA for the SAN by typing in this in the command line:

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc
0
 

Author Comment

by:mjm21
ID: 22689411
Sorry ...new to this site....Thanks user Paranormastic!
0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 500 total points
ID: 22689650
Funny I don't think I've been called by my user number before :)
Yes, the certutil command is needed to do SAN's.

Assuming cert has 'server1' as Subject, then SAN entry into the Attribute field would be:
SAN:dns:server1.domain.com/ndns:webserver1.domain.com/nDN:CN=webserver1/nipaddress:10.0.0.1

note no spaces. you can substitute /n for & if you wish, shouldn't really matter.  the order doesn't really matter, except that it needs to start with SAN:, for some reason some things like to work better with a : than a = and vice versa but technically shouldn't really matter, again I typically script certreq so I'm a little rusty on the quirks of certsrv page.
0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 500 total points
ID: 22689698
certutil, certreq, and openssl can be your best friend if you are going to be getting into CA stuff for somewhat regular usage.  here is a handy page for a few odd other extensions you may want to consider:
http://technet.microsoft.com/en-us/library/cc740063.aspx
0
 

Author Comment

by:mjm21
ID: 22690004
OK...so:
webserver1.domain.com/nDN:CN=webserver1/nipaddress:10.0.0.1 (This is the alternate name that I created in DNS)
0
 

Author Comment

by:mjm21
ID: 22690129

I guess this is what I mean....and I follow up all the way up to the attribute.....

What I am looking to do is have a cert that covers both the short name and the FQDN of a server. For example https://tombs and https://tombs.olf.com

So if I type either one of the above, I still get to the website even though the "real" server name is say Paranormastic.

I have already created a host record called tombs that point to Paranormastic.....

OH...so webserver1 is the hostname created in DNs that points to server1..... right?

Can I create multiple san's for one cert?  So, how would the atribute read if say we now added webserver2 to the picture.......

And that is all I have to ask.....thanks :)
0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 500 total points
ID: 22690252
You can add a whole slew of SAN's to the same cert, yes - just string them together with /n or &.  For commercial certs they may charge based on the number you add, but your own CA... I don't know what the limit is offhand but its a whole lot.  You got the general idea, but the main name does not need to be included in the attribute field as that would be in the subject field in the CSR file, the rest would go into the Subject Alternate Name.

You could tecnically add entries for more than one server, say if they were in a cluster responding to the same alias.  If you do this, then create the CSR on server1 and install the cert, then export it using Certificates MMC including private key, then copy it to server2 and install it there.  That way they can both handle the same data properly since they would be sharing the same private key.  

If they are different apps, then you probably want to issue a different cert than having one giant cert.  You could do a wildcard, but if you want to do hostnames and IP addresses, that probably isn't the best option and some apps (e.g. OWA) don't like wildcards much.


0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 500 total points
ID: 22690317
One thing that we do here is since we issue certs to a very large enterprise sized organization we get requests from all over the place, so we add the Outlook team name or support team email address as a another SAN with the email:IIS.AdminTeam@domain.com or email:"IIS Admin Team" format.  That way, when it comes time to renew it we can email that group (in case the originator moved on from the company we still have a contact).  This would show up in the Subject Alternate Name field as the RFC882 Name:
0
 

Accepted Solution

by:
mjm21 earned 0 total points
ID: 22690436
I will check it out...thanks
0
 

Author Comment

by:mjm21
ID: 22690488
I understand the concetp now.
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lync server 2013 or Skype for business Backup Service Error ID 4049 – After File Share Migration
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

791 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question