Link to home
Start Free TrialLog in
Avatar of s31064-2574
s31064-2574

asked on

Adding a Subject Alternative Name Field to an Existing Certificate

We're using a Windows Server 2003 CA to provide certs for our VPN users, and it's been working well.  The decision was just made to allow our iPad and iPhone users access to the VPN, however this apparently requires an additional Subject Alternative Names field to be added to the server's cert.  This doesn't appear to be too hard (certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2).  My question is, will adding this field affect any of the other systems that are already using the VPN?  I don't think it should, but I need to be sure before we make any changes to the existing infrastructure.
 
From the Apple iPhone OS Enterprise Deployment Guide:
 
The server identity certificate must contain the server’s DNS name and/or IP address
in the subject alternate name (SubjectAltName) field. The device uses this
information to verify that the certificate belongs to the server. You can specify the
SubjectAltName using wildcard characters for per-segment matching, such as
vpn.*.mycompany.com, for more flexibility.

As always, thanks for the help.
ASKER CERTIFIED SOLUTION
Avatar of asavener
asavener
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of caronas
caronas

It is impossible to change signed certificates. You must get a new certificate with the needed attributes.
If you use the internal Certification hierarchy you have to give the server (Computername+"$") and the administrator "Register Certificate"-rights under the webserver-certificate draft. Then you can use the certificates-snapin with MMC (add snapin "Certificates" from Computer) to create a certificate with all wanted options.

If not you can try XCA (http://xca.sourceforge.net/) to get the request and/or certificate with your options.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of s31064-2574

ASKER

I'm swamped right now thanks to Sandy (no pun intended).  As soon as I get a chance to check this out I'll dish out the points.  Thanks for your help guys.
Sorry it took so long to award the points.  After I finally got caught up it kind of slipped my mind.