?
Solved

SSL CERT / Subject Alternative Name configuration

Posted on 2008-10-29
3
Medium Priority
?
3,901 Views
Last Modified: 2012-06-27
Would like to setup a website with a Subject alternative name (SAN) utilizing IIS and Microsoft CERTSRV?  
DETAILS:  1. Have a website with an internal SSL cert configured via IIS and a certificate of authority Server Service.  
2. Need to create a subject alternative name SSL cert for this website.
3. How do I do this?  
0
Comment
Question by:mjm21
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 31

Accepted Solution

by:
Paranormastic earned 1500 total points
ID: 22833233
SAN (Subject Alternate Name) can include multiple values, and can be used for hostnames, FQDNs, IPs, aliases, etc.

To enable your CA to be able to add a SAN to certs:
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc

You can use the certsrv page to do this using the Attributes field, or you can do it if you install the 2003 admin pack to get certreq.exe.

certreq -submit -attrib certificatetemplate:%TemplateName%\nSAN:%SANValues% -config %CA.FQDN%\CAName -f %ReqPath%\%filename.csr% %DestPath%\%CertName%.cer >> SubmitCSR.log

For certsrv, you can combine using either & or /n, for certreq the same applies.  I like to script, so using in a script you have to /n because & is a parsing char for batch files.  Either way, you don't need spaces.

e.g.:
(combined example) email: YourEmail@domain.com\n dns: SQLalias.domain.com
email: YourEmail@domain.com
dns: SQLalias.domain.com
dn: CN=hostname,OU=USA,DC=domain,DC=com
ipaddress: 192.168.0.1

0
 

Author Comment

by:mjm21
ID: 22835639
thanks.  Did it from the certsrv and worked fine.
I used what you reciommended under the attribute section:  san:dns=bla.domain.com&dns=bla (must have a host record or alias name setup first)&dns=ipaddress

Accepted the two trusted site questions and imported the cert to the iis website.  tested ...worked great......

Thanks
0
 

Author Closing Comment

by:mjm21
ID: 31511262
I would of liked to have more of  an explaination on setting this up with certsrv instead of scripting.  But this did certainly point me in the right direction.  500 points to this fine gentleman!
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question