• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3934
  • Last Modified:

SSL CERT / Subject Alternative Name configuration

Would like to setup a website with a Subject alternative name (SAN) utilizing IIS and Microsoft CERTSRV?  
DETAILS:  1. Have a website with an internal SSL cert configured via IIS and a certificate of authority Server Service.  
2. Need to create a subject alternative name SSL cert for this website.
3. How do I do this?  
0
mjm21
Asked:
mjm21
  • 2
1 Solution
 
ParanormasticCryptographic EngineerCommented:
SAN (Subject Alternate Name) can include multiple values, and can be used for hostnames, FQDNs, IPs, aliases, etc.

To enable your CA to be able to add a SAN to certs:
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc

You can use the certsrv page to do this using the Attributes field, or you can do it if you install the 2003 admin pack to get certreq.exe.

certreq -submit -attrib certificatetemplate:%TemplateName%\nSAN:%SANValues% -config %CA.FQDN%\CAName -f %ReqPath%\%filename.csr% %DestPath%\%CertName%.cer >> SubmitCSR.log

For certsrv, you can combine using either & or /n, for certreq the same applies.  I like to script, so using in a script you have to /n because & is a parsing char for batch files.  Either way, you don't need spaces.

e.g.:
(combined example) email: YourEmail@domain.com\n dns: SQLalias.domain.com
email: YourEmail@domain.com
dns: SQLalias.domain.com
dn: CN=hostname,OU=USA,DC=domain,DC=com
ipaddress: 192.168.0.1

0
 
mjm21Author Commented:
thanks.  Did it from the certsrv and worked fine.
I used what you reciommended under the attribute section:  san:dns=bla.domain.com&dns=bla (must have a host record or alias name setup first)&dns=ipaddress

Accepted the two trusted site questions and imported the cert to the iis website.  tested ...worked great......

Thanks
0
 
mjm21Author Commented:
I would of liked to have more of  an explaination on setting this up with certsrv instead of scripting.  But this did certainly point me in the right direction.  500 points to this fine gentleman!
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now