First you need to enable the CA to accept SAN requests by changing the registry:
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
An nice description on how to enable SAN's on a MS CA can be found here.
I used that as a base to request WebServer certificates with certreq, but I had to remove the EncipherOnly line and I changed the Exportable flag to true in the INF file:
Subject = "CN=corpdc1.fabrikam.com" ; must be the FQDN of domain controller
; EncipherOnly = FALSE
Exportable = TRUE ; TRUE = Private key is exportable
KeyLength = 1024 ; Common key sizes: 512, 1024, 2048, 4096, 8192, 16384
KeySpec = 1 ; Key Exchange
KeyUsage = 0xA0 ; Digital Signature, Key Encipherment
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = CMC
; Omit entire section if CA is an enterprise CA
OID=22.214.171.124.126.96.36.199.1 ; Server Authentication
CertificateTemplate = WebServer ;Omit line if CA is a stand-alone CA
The complete INF file syntax used by certreq can be found here: http://technet.microsoft.com/en-us/library/cc736326(WS.10).aspx
EncipherOnly seems not to work in my 2008 environment or some other flags made that invalid.
In addition on creating the request, I specified the CA on the certreq commandline:
certreq -new request.inf certnew.req
certreq -config mycaserver\myca -submit certnew.req certnew.cer
the last line outputs the requestid needed for the next certreq command. Then, on the ca, issue the certificate if it is not automatically issued (depends on the template used).
after that you can retrieve & accept the the certificate:
certreq -config mycaserver\myca -retrieve myidreturendfromsubmitcommand certnew.cer
certreq -accept certnew.cer
After that, you have a certificate with multiple SAN's in your computers machine store (we specified MachineKeySet) which can be used in IIS.
Just to mention:
It's easy to add multiple Websites to IIS using hostheaders, but if you want to use SSL on those sites you have to add the SSL binding. The easiest i found was using the commandline. the commands depend on the version of your IIS.
cscript.exe c:\inetpub\adminscripts\adsutil.vbs set /w3svc/mysiteid/SecureBindings ":443:myhostheader"
The hostheader is pretty obvious, and the mysiteid can be found when you click on the WebSites node in the IIS manager (Its the Identifier column).
appcmd set site /site.name:"mysite" /+bindings.[protocol='https',bindingInformation='*:443:myhostheader]