Generating Certificates with Subject Alternative Names (SANs) from Internal Certificate Authority – Microsoft CA

Introduction to Certificates

Certificates are used to secure communication between the Clients and the Server so that the transmitted data is not compromised. It is a security best practise to implement SSL whenever a web site hosts confidential information.

Certificates are issued by a Certificate Provider or Certification Authority (CA). To apply for a certificate, a Certificate Signing Request (CSR) is sent to the  CA. This CSR contains the host name(s) that needs to be protected, the email address and the company information. The CA, after verifying the information, approves and generates a Certificate. This Certificate can then be used to secure communication.

Commercial CAs issue certificates that will automatically be trusted by most web browsers but they come with a cost. To reduce the costs without compromising on security, many organizations implement internal CA hierarchy. Internal CA can be used to deployed certificates internally within a domain or forest. These certificates will be automatically trusted by all its domain joined systems. For systems outside the domain, a manual procedure is required to trust these certificates.

What are SAN Certificates?

Subject Alternative Names (SAN) allow you to specify a list of host names to be protected by a single SSL certificate. A SAN Certificate is typically useful in scenarios where you need to host multiple SSL-enabled sites on a single server using a single IP address.

SAN Certificates using Internal CA

With the advent of Exchange Server 2007 /2010, SAN Certificates have become increasingly popular and sometimes necessary to configure. But if you desire to issue SAN Certificates from your Internal CA then you might be unable to do so. This is because Windows based Certifcate Authority does not allow the issuance of the SAN Certificates, by default.

To allow the internal CA to issue SAN Certificates, you have to modify the default Issuance policy of Certificate Authority to accept the Subject Alternative Name(s) attribute in the CSR.

Navigate to the Command prompt of the Certificate Authority Server and issue the following command:

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
Once the above command has been issued, the certifcate services will need to be restarted for the changes to take effect.
After restarting the Certificate Services, you will be able to generate SAN Certificates  from the Internal CA.
Remember that while performing Web Enrollment for a SAN Certificate, the Subject Alternative Names (SANs) have to be specified in the Attribute window in the below format
Microsoft does not recommend to issue SANs using the Enterprise Root CA. Hence ideally we should use an Intermediate CA which is authorized by the Root CA to service the SAN certificate requests.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s