Solved

SSL CERT / Subject Alternative Name configuration

Posted on 2008-10-29
3
3,841 Views
Last Modified: 2012-06-27
Would like to setup a website with a Subject alternative name (SAN) utilizing IIS and Microsoft CERTSRV?  
DETAILS:  1. Have a website with an internal SSL cert configured via IIS and a certificate of authority Server Service.  
2. Need to create a subject alternative name SSL cert for this website.
3. How do I do this?  
0
Comment
Question by:mjm21
  • 2
3 Comments
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
ID: 22833233
SAN (Subject Alternate Name) can include multiple values, and can be used for hostnames, FQDNs, IPs, aliases, etc.

To enable your CA to be able to add a SAN to certs:
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc

You can use the certsrv page to do this using the Attributes field, or you can do it if you install the 2003 admin pack to get certreq.exe.

certreq -submit -attrib certificatetemplate:%TemplateName%\nSAN:%SANValues% -config %CA.FQDN%\CAName -f %ReqPath%\%filename.csr% %DestPath%\%CertName%.cer >> SubmitCSR.log

For certsrv, you can combine using either & or /n, for certreq the same applies.  I like to script, so using in a script you have to /n because & is a parsing char for batch files.  Either way, you don't need spaces.

e.g.:
(combined example) email: YourEmail@domain.com\n dns: SQLalias.domain.com
email: YourEmail@domain.com
dns: SQLalias.domain.com
dn: CN=hostname,OU=USA,DC=domain,DC=com
ipaddress: 192.168.0.1

0
 

Author Comment

by:mjm21
ID: 22835639
thanks.  Did it from the certsrv and worked fine.
I used what you reciommended under the attribute section:  san:dns=bla.domain.com&dns=bla (must have a host record or alias name setup first)&dns=ipaddress

Accepted the two trusted site questions and imported the cert to the iis website.  tested ...worked great......

Thanks
0
 

Author Closing Comment

by:mjm21
ID: 31511262
I would of liked to have more of  an explaination on setting this up with certsrv instead of scripting.  But this did certainly point me in the right direction.  500 points to this fine gentleman!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Here are the symptoms: You start receiving calls from users that one of your legacy web apps isn't coming up, so you log into your IIS 5 server to check it out.  When you pull up the services, you notice that the WWW Publishing service isn't runn…
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now