Solved

SSL CERT / Subject Alternative Name configuration

Posted on 2008-10-29
3
3,844 Views
Last Modified: 2012-06-27
Would like to setup a website with a Subject alternative name (SAN) utilizing IIS and Microsoft CERTSRV?  
DETAILS:  1. Have a website with an internal SSL cert configured via IIS and a certificate of authority Server Service.  
2. Need to create a subject alternative name SSL cert for this website.
3. How do I do this?  
0
Comment
Question by:mjm21
  • 2
3 Comments
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
ID: 22833233
SAN (Subject Alternate Name) can include multiple values, and can be used for hostnames, FQDNs, IPs, aliases, etc.

To enable your CA to be able to add a SAN to certs:
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc

You can use the certsrv page to do this using the Attributes field, or you can do it if you install the 2003 admin pack to get certreq.exe.

certreq -submit -attrib certificatetemplate:%TemplateName%\nSAN:%SANValues% -config %CA.FQDN%\CAName -f %ReqPath%\%filename.csr% %DestPath%\%CertName%.cer >> SubmitCSR.log

For certsrv, you can combine using either & or /n, for certreq the same applies.  I like to script, so using in a script you have to /n because & is a parsing char for batch files.  Either way, you don't need spaces.

e.g.:
(combined example) email: YourEmail@domain.com\n dns: SQLalias.domain.com
email: YourEmail@domain.com
dns: SQLalias.domain.com
dn: CN=hostname,OU=USA,DC=domain,DC=com
ipaddress: 192.168.0.1

0
 

Author Comment

by:mjm21
ID: 22835639
thanks.  Did it from the certsrv and worked fine.
I used what you reciommended under the attribute section:  san:dns=bla.domain.com&dns=bla (must have a host record or alias name setup first)&dns=ipaddress

Accepted the two trusted site questions and imported the cert to the iis website.  tested ...worked great......

Thanks
0
 

Author Closing Comment

by:mjm21
ID: 31511262
I would of liked to have more of  an explaination on setting this up with certsrv instead of scripting.  But this did certainly point me in the right direction.  500 points to this fine gentleman!
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Prologue It is often required to host multiple websites on a single instance of IIS, mostly in development environments instead of on production servers. I am sure it is not much a preferred solution on production servers but this is at least a pos…
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
Many functions in Excel can make decisions. The most simple of these is the IF function: it returns a value depending on whether a condition you describe is true or false. Once you get the hang of using the IF function, you will find it easier to us…

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now