Introduction to Certificates
Certificates are used to secure communication between the Clients and the Server so that the transmitted data is not compromised. It is a security best practise to implement SSL whenever a web site hosts confidential information.
Certificates are issued by a Certificate Provider or Certification Authority (CA). To apply for a certificate, a Certificate Signing Request (CSR) is sent to the CA. This CSR contains the host name(s) that needs to be protected, the email address and the company information. The CA, after verifying the information, approves and generates a Certificate. This Certificate can then be used to secure communication.
Commercial CAs issue certificates that will automatically be trusted by most web browsers but they come with a cost. To reduce the costs without compromising on security, many organizations implement internal CA hierarchy. Internal CA can be used to deployed certificates internally within a domain or forest. These certificates will be automatically trusted by all its domain joined systems. For systems outside the domain, a manual procedure is required to trust these certificates.
What are SAN Certificates?
Subject Alternative Names (SAN) allow you to specify a list of host names to be protected by a single SSL certificate. A SAN Certificate is typically useful in scenarios where you need to host multiple SSL-enabled sites on a single server using a single IP address.
SAN Certificates using Internal CA
With the advent of Exchange Server 2007 /2010, SAN Certificates have become increasingly popular and sometimes necessary to configure. But if you desire to issue SAN Certificates from your Internal CA then you might be unable to do so. This is because Windows based Certifcate Authority does not allow the issuance of the SAN Certificates, by default.
To allow the internal CA to issue SAN Certificates, you have to modify the default Issuance policy of Certificate Authority to accept the Subject Alternative Name(s) attribute in the CSR.
Navigate to the Command prompt of the Certificate Authority Server and issue the following command:
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2