Solved

SSL CERT / Subject Alternative Name configuration

Posted on 2008-10-29
3
3,880 Views
Last Modified: 2012-06-27
Would like to setup a website with a Subject alternative name (SAN) utilizing IIS and Microsoft CERTSRV?  
DETAILS:  1. Have a website with an internal SSL cert configured via IIS and a certificate of authority Server Service.  
2. Need to create a subject alternative name SSL cert for this website.
3. How do I do this?  
0
Comment
Question by:mjm21
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
ID: 22833233
SAN (Subject Alternate Name) can include multiple values, and can be used for hostnames, FQDNs, IPs, aliases, etc.

To enable your CA to be able to add a SAN to certs:
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc

You can use the certsrv page to do this using the Attributes field, or you can do it if you install the 2003 admin pack to get certreq.exe.

certreq -submit -attrib certificatetemplate:%TemplateName%\nSAN:%SANValues% -config %CA.FQDN%\CAName -f %ReqPath%\%filename.csr% %DestPath%\%CertName%.cer >> SubmitCSR.log

For certsrv, you can combine using either & or /n, for certreq the same applies.  I like to script, so using in a script you have to /n because & is a parsing char for batch files.  Either way, you don't need spaces.

e.g.:
(combined example) email: YourEmail@domain.com\n dns: SQLalias.domain.com
email: YourEmail@domain.com
dns: SQLalias.domain.com
dn: CN=hostname,OU=USA,DC=domain,DC=com
ipaddress: 192.168.0.1

0
 

Author Comment

by:mjm21
ID: 22835639
thanks.  Did it from the certsrv and worked fine.
I used what you reciommended under the attribute section:  san:dns=bla.domain.com&dns=bla (must have a host record or alias name setup first)&dns=ipaddress

Accepted the two trusted site questions and imported the cert to the iis website.  tested ...worked great......

Thanks
0
 

Author Closing Comment

by:mjm21
ID: 31511262
I would of liked to have more of  an explaination on setting this up with certsrv instead of scripting.  But this did certainly point me in the right direction.  500 points to this fine gentleman!
0

Featured Post

MS Dynamics Made Instantly Simpler

Make Your Microsoft Dynamics Investment Count  & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

So you need a certificate so you can offer SSL encryption.  But which one should you get?  There are so many choices out there! Here is a generic overview of the main types of SSL certificates sold by the majority of commercial Certification Auth…
#SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

742 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question