Solved

How can I create a SSL certificate that has the ability to utilize a "short name" and "FQDN"?

Posted on 2008-10-10
13
1,199 Views
Last Modified: 2008-10-15
What I am looking to do is have a internal cert created by our Enterprise CA that covers both the short name and the FQDN of a server. For example :

1. https://server1 and https://server1.domain.com 
2. https://hostrecord for server1 and https://hostrecord for server1.domain.com
So, say I have a server named "server1" with ip address of 10.0.0.1 and I create a hostrecord called" webserver1" with ip address of 10.0.0.1 and I go to a browser type https://webserver1 and/or https://webserver1.domain.com I can get to a website that was created.

Make sense?
0
Comment
Question by:mjm21
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
13 Comments
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 500 total points
ID: 22688981
What you are looking for is called a SAN (Subject Alternate Name) and can include multiple values, and can be used for hostnames, FQDNs, IPs, aliases, etc.

You can usually use the certsrv page to do this using the Attributes field, or you can do it if you install the 2003 admin pack to get certreq.exe.

certreq -submit -attrib certificatetemplate:%TemplateName%\nSAN:%SANValues% -config %CA.FQDN%\CAName -f %ReqPath%\%filename.csr% %DestPath%\%CertName%.cer >> SubmitCSR.log

For certsrv, you can combine using either & or /n, for certreq the same applies.  I like to script, so using in a script you have to /n because & is a parsing char for batch files.  Either way, you don't need spaces.


e.g. email: YourEmail@domain.com\n dns: SQLalias.domain.com
email: YourEmail@domain.com
dns: SQLalias.domain.com
dn: CN=hostname,OU=USA,DC=domain,DC=com
ipaddress: 192.168.0.1
0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 500 total points
ID: 22689003
Personally, for internal things I like to use the hostname for the main name, then the dns, ip, alias, etc. for the SAN values.  I just don't like doing the full DN structure, although you canusually get away with just DN: CN=hostname without all the fluff.
0
 

Author Comment

by:mjm21
ID: 22689381
Thanks member 22688981 and 22689003 I have read about the SAN and I am familiar with using certserv page, rather then the scripting.  However, I agree with the hostname as main name for the main portion of the cert, but I am still unclear what to type in the attributes page under the advanced tab in the certserv.  
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 

Author Comment

by:mjm21
ID: 22689397
I have also read that you have to prepare the CA for the SAN by typing in this in the command line:

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc
0
 

Author Comment

by:mjm21
ID: 22689411
Sorry ...new to this site....Thanks user Paranormastic!
0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 500 total points
ID: 22689650
Funny I don't think I've been called by my user number before :)
Yes, the certutil command is needed to do SAN's.

Assuming cert has 'server1' as Subject, then SAN entry into the Attribute field would be:
SAN:dns:server1.domain.com/ndns:webserver1.domain.com/nDN:CN=webserver1/nipaddress:10.0.0.1

note no spaces. you can substitute /n for & if you wish, shouldn't really matter.  the order doesn't really matter, except that it needs to start with SAN:, for some reason some things like to work better with a : than a = and vice versa but technically shouldn't really matter, again I typically script certreq so I'm a little rusty on the quirks of certsrv page.
0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 500 total points
ID: 22689698
certutil, certreq, and openssl can be your best friend if you are going to be getting into CA stuff for somewhat regular usage.  here is a handy page for a few odd other extensions you may want to consider:
http://technet.microsoft.com/en-us/library/cc740063.aspx
0
 

Author Comment

by:mjm21
ID: 22690004
OK...so:
webserver1.domain.com/nDN:CN=webserver1/nipaddress:10.0.0.1 (This is the alternate name that I created in DNS)
0
 

Author Comment

by:mjm21
ID: 22690129

I guess this is what I mean....and I follow up all the way up to the attribute.....

What I am looking to do is have a cert that covers both the short name and the FQDN of a server. For example https://tombs and https://tombs.olf.com

So if I type either one of the above, I still get to the website even though the "real" server name is say Paranormastic.

I have already created a host record called tombs that point to Paranormastic.....

OH...so webserver1 is the hostname created in DNs that points to server1..... right?

Can I create multiple san's for one cert?  So, how would the atribute read if say we now added webserver2 to the picture.......

And that is all I have to ask.....thanks :)
0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 500 total points
ID: 22690252
You can add a whole slew of SAN's to the same cert, yes - just string them together with /n or &.  For commercial certs they may charge based on the number you add, but your own CA... I don't know what the limit is offhand but its a whole lot.  You got the general idea, but the main name does not need to be included in the attribute field as that would be in the subject field in the CSR file, the rest would go into the Subject Alternate Name.

You could tecnically add entries for more than one server, say if they were in a cluster responding to the same alias.  If you do this, then create the CSR on server1 and install the cert, then export it using Certificates MMC including private key, then copy it to server2 and install it there.  That way they can both handle the same data properly since they would be sharing the same private key.  

If they are different apps, then you probably want to issue a different cert than having one giant cert.  You could do a wildcard, but if you want to do hostnames and IP addresses, that probably isn't the best option and some apps (e.g. OWA) don't like wildcards much.


0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 500 total points
ID: 22690317
One thing that we do here is since we issue certs to a very large enterprise sized organization we get requests from all over the place, so we add the Outlook team name or support team email address as a another SAN with the email:IIS.AdminTeam@domain.com or email:"IIS Admin Team" format.  That way, when it comes time to renew it we can email that group (in case the originator moved on from the company we still have a contact).  This would show up in the Subject Alternate Name field as the RFC882 Name:
0
 

Accepted Solution

by:
mjm21 earned 0 total points
ID: 22690436
I will check it out...thanks
0
 

Author Comment

by:mjm21
ID: 22690488
I understand the concetp now.
0

Featured Post

IoT Devices - Fast, Cheap or Secure…Pick Two

The IoT market is growing at a rapid pace and manufacturers are under pressure to quickly provide new products. Can you be sure that your devices do what they're supposed to do, while still being secure?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
A phishing scam that claims a recipient’s credit card details have been “suspended” is the latest trend in spoof emails.
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question