SAN in certificates–might be useful

From time to time, I found my self searching through my own blog site (the old one) for this information. So, if you ever need to configure Windows Server 2003 or 2008 to issue certificates with subject alternative names, you will need to execute following commands on CA computer:

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc

After this, your CA will be capable to issue certificates with SANs. You can do it by sending req file to CA, or by using web console. If you are using a web console, choose to perform advanced certificate request, and then in Attributes field enter alternative names in format :

san:dns=dns.name[&dns=dns.name]

For example: san:dns=exchange.domain.com&dns=autodiscover.domain.com

One Response to “SAN in certificates–might be useful”

Leave a Reply