First, you need to create a certificate request with certsrv. You can do this by opening a web browser and navigating to http://<your CA server>/certsrv. Then, click on "Request a certificate" and choose "advanced certificate request". On the next page, select "Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file". This option allows you to upload a certificate request file (.csr) that you have created with another tool, such as OpenSSL.
Now, here comes the fun part. To add a SAN to your request, you need to use the additional attributes field at the bottom of the page. This field allows you to specify any extra information that you want to include in your certificate request. To add a SAN, you need to use the following syntax:
san:dns=<your domain name>
For example, if you want to add a SAN for www.example.com, you would type:
san:dns=www.example.com
You can add multiple SANs by separating them with an ampersand ( & ) like this:
san:dns=www.example.com&dns=example.com
You can even add an ip address
Once you have entered your SANs, click on "Submit" and wait for your request to be processed.
But wait, there's more! You're not done yet. You see, by default, the CA will ignore any SANs that you have specified in your request. That's because the CA needs to be configured to accept SANs from certificate requests. To do that, you need to use certutil.
Certutil is a command-line tool that allows you to manage certificates and CAs. You can use it to enable SAN support on your CA by running the following command on your CA server:
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
This command will modify the registry value of EditFlags under the policy key of your CA configuration. It will add the flag EDITF_ATTRIBUTESUBJECTALTNAME2, which tells the CA to copy any SANs from the additional attributes field of the request to the certificate.
After running this command, you need to restart the CA service for the changes to take effect. You can do this by running:
net stop certsvc
net start certsvc
And that's it! You have successfully added a SAN to your certificate request with certsrv and enabled SAN support on your CA with certutil.
I hope you enjoyed this post and learned something new. If you have any questions or comments, feel free to leave them below.
