Archive for the ‘PKI’ Category

Many applications today require the use of certificates that certify multiple subject names. These certificates are typicalled SAN certificates because the additional names are stored in the Subject Alternate Name field of the certificate. One of the simplest ways to generate a request for such a certificate is to use Exchange 2007/2010’s New-ExchangeCertificate PowerShell command. If, however, you’re not running Exchange in-house, this option is not available. For those instances, the following process can be used to generate a SAN certificate request using native Windows tools.

1)      Open a new instance of MMC and add the Certificates Snap-in. Configure the snap in to access certificates for the computer account of the local computer.

2)      Right click the Personal folder and choose All Tasks-> Advanced Operations->Create Custom Request.

a)      Click Next on the welcome page.

b)      If prompted to select a policy, choose to proceed without a policy and click Next

c)      Choose “(no template) Legacy Key” as the Template

d)      For Request format, select PKCS #10 (the default selection) and click Next.

e)      Click on Details to expand the listing and show the Properties button. Click Properties.

f)       Set the following properties

i)        Private Key tab

(1)   Key Type: Exchange

(2)   Key Options: select the desired Key size. I typically use 2048.

(3)   Key Options: check Make private key exportable.

ii)      Extensions Tab

(1)   Extended Key Usage:  Add the Server Authentication option to the selected list on the right.

iii)    Subject tab

(1)   Add an entry of type Common name to the Subject name field with primary subject name

(2)   Add entries of type DNS into the Alternative name field. Add the primary subject name and any other required additional names.

NOTE: Wild cards can also be used with this method although currently Windows Certificate Authorities do not support issuing wild card certificates.

iv)    General tab

(1)   Enter a friendly name and description text that will be associated with the certificate and make it easier to identify the certificate and its purpose.

g)      Click OK to close the Properties dialog and click Next.

3)      Enter a filename for the request file (e.g. c:\iis-san-csr.req) and click Finish.

4)      The request file can now be used with an internal Windows Certificate Authority (Using Web Enrollment) or a third party CA. Note that for a third party CA additional fields might be required to match the organization’s registered identity (OU, Department, State, Country, etc).

5)      Once you get back the certificate from the Certificate Authority, open the Certificates MMC again, right click on the personal folder and choose All tasks -> Import. Find the file and go through the wizard with the defaults.

That’s it. The resulting certificate can be exported with the private key.