Solved

How can I create a SSL certificate that has the ability to utilize a "short name" and "FQDN"?

Posted on 2008-10-10
13
1,088 Views
Last Modified: 2008-10-15
What I am looking to do is have a internal cert created by our Enterprise CA that covers both the short name and the FQDN of a server. For example :

1. https://server1 and https://server1.domain.com
2. https://hostrecord for server1 and https://hostrecord for server1.domain.com
So, say I have a server named "server1" with ip address of 10.0.0.1 and I create a hostrecord called" webserver1" with ip address of 10.0.0.1 and I go to a browser type https://webserver1 and/or https://webserver1.domain.com I can get to a website that was created.

Make sense?
0
Comment
Question by:mjm21
  • 7
  • 6
13 Comments
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 500 total points
Comment Utility
What you are looking for is called a SAN (Subject Alternate Name) and can include multiple values, and can be used for hostnames, FQDNs, IPs, aliases, etc.

You can usually use the certsrv page to do this using the Attributes field, or you can do it if you install the 2003 admin pack to get certreq.exe.

certreq -submit -attrib certificatetemplate:%TemplateName%\nSAN:%SANValues% -config %CA.FQDN%\CAName -f %ReqPath%\%filename.csr% %DestPath%\%CertName%.cer >> SubmitCSR.log

For certsrv, you can combine using either & or /n, for certreq the same applies.  I like to script, so using in a script you have to /n because & is a parsing char for batch files.  Either way, you don't need spaces.


e.g. email: YourEmail@domain.com\n dns: SQLalias.domain.com
email: YourEmail@domain.com
dns: SQLalias.domain.com
dn: CN=hostname,OU=USA,DC=domain,DC=com
ipaddress: 192.168.0.1
0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 500 total points
Comment Utility
Personally, for internal things I like to use the hostname for the main name, then the dns, ip, alias, etc. for the SAN values.  I just don't like doing the full DN structure, although you canusually get away with just DN: CN=hostname without all the fluff.
0
 

Author Comment

by:mjm21
Comment Utility
Thanks member 22688981 and 22689003 I have read about the SAN and I am familiar with using certserv page, rather then the scripting.  However, I agree with the hostname as main name for the main portion of the cert, but I am still unclear what to type in the attributes page under the advanced tab in the certserv.  
0
 

Author Comment

by:mjm21
Comment Utility
I have also read that you have to prepare the CA for the SAN by typing in this in the command line:

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc
0
 

Author Comment

by:mjm21
Comment Utility
Sorry ...new to this site....Thanks user Paranormastic!
0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 500 total points
Comment Utility
Funny I don't think I've been called by my user number before :)
Yes, the certutil command is needed to do SAN's.

Assuming cert has 'server1' as Subject, then SAN entry into the Attribute field would be:
SAN:dns:server1.domain.com/ndns:webserver1.domain.com/nDN:CN=webserver1/nipaddress:10.0.0.1

note no spaces. you can substitute /n for & if you wish, shouldn't really matter.  the order doesn't really matter, except that it needs to start with SAN:, for some reason some things like to work better with a : than a = and vice versa but technically shouldn't really matter, again I typically script certreq so I'm a little rusty on the quirks of certsrv page.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 500 total points
Comment Utility
certutil, certreq, and openssl can be your best friend if you are going to be getting into CA stuff for somewhat regular usage.  here is a handy page for a few odd other extensions you may want to consider:
http://technet.microsoft.com/en-us/library/cc740063.aspx
0
 

Author Comment

by:mjm21
Comment Utility
OK...so:
webserver1.domain.com/nDN:CN=webserver1/nipaddress:10.0.0.1 (This is the alternate name that I created in DNS)
0
 

Author Comment

by:mjm21
Comment Utility

I guess this is what I mean....and I follow up all the way up to the attribute.....

What I am looking to do is have a cert that covers both the short name and the FQDN of a server. For example https://tombs and https://tombs.olf.com

So if I type either one of the above, I still get to the website even though the "real" server name is say Paranormastic.

I have already created a host record called tombs that point to Paranormastic.....

OH...so webserver1 is the hostname created in DNs that points to server1..... right?

Can I create multiple san's for one cert?  So, how would the atribute read if say we now added webserver2 to the picture.......

And that is all I have to ask.....thanks :)
0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 500 total points
Comment Utility
You can add a whole slew of SAN's to the same cert, yes - just string them together with /n or &.  For commercial certs they may charge based on the number you add, but your own CA... I don't know what the limit is offhand but its a whole lot.  You got the general idea, but the main name does not need to be included in the attribute field as that would be in the subject field in the CSR file, the rest would go into the Subject Alternate Name.

You could tecnically add entries for more than one server, say if they were in a cluster responding to the same alias.  If you do this, then create the CSR on server1 and install the cert, then export it using Certificates MMC including private key, then copy it to server2 and install it there.  That way they can both handle the same data properly since they would be sharing the same private key.  

If they are different apps, then you probably want to issue a different cert than having one giant cert.  You could do a wildcard, but if you want to do hostnames and IP addresses, that probably isn't the best option and some apps (e.g. OWA) don't like wildcards much.


0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 500 total points
Comment Utility
One thing that we do here is since we issue certs to a very large enterprise sized organization we get requests from all over the place, so we add the Outlook team name or support team email address as a another SAN with the email:IIS.AdminTeam@domain.com or email:"IIS Admin Team" format.  That way, when it comes time to renew it we can email that group (in case the originator moved on from the company we still have a contact).  This would show up in the Subject Alternate Name field as the RFC882 Name:
0
 

Accepted Solution

by:
mjm21 earned 0 total points
Comment Utility
I will check it out...thanks
0
 

Author Comment

by:mjm21
Comment Utility
I understand the concetp now.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Debug Tools to analyse IIS process: This article focus on taking memory dumps from IIS to determine which code is taking more time and to analyse which calls hangs/causes more CPU usage. To take dumps,download the following. Install1: To st…
Prologue It is often required to host multiple websites on a single instance of IIS, mostly in development environments instead of on production servers. I am sure it is not much a preferred solution on production servers but this is at least a pos…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now