see sharp RSS 2.0
# Friday, 15 May 2009

First you need to enable the CA to accept SAN requests by changing the registry:

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

An nice description on how to enable SAN's on a MS CA can be found here.

I used that as a base to request WebServer certificates with certreq, but I had to remove the EncipherOnly line and I changed the Exportable flag to true in the INF file:

Signature="$Windows NT$

Subject = ""   
; must be the FQDN of domain controller
; EncipherOnly = FALSE
Exportable = TRUE         
; TRUE = Private key is exportable
KeyLength = 1024          
; Common key sizes: 512, 1024, 2048, 4096, 8192, 16384
KeySpec = 1               ; Key Exchange
KeyUsage = 0xA0          
; Digital Signature, Key Encipherment
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = CMC

; Omit entire section if CA is an enterprise CA
OID= ; Server Authentication

CertificateTemplate = WebServer
;Omit  line if CA is a stand-alone CA


The complete INF file syntax used by certreq can be found here:

EncipherOnly seems not to work in my 2008 environment or some other flags made that invalid.


In addition on creating the request, I specified the CA on the certreq commandline:

certreq -new request.inf certnew.req
certreq -config mycaserver\myca -submit certnew.req certnew.cer

the last line outputs the requestid needed for the next certreq command. Then, on the ca, issue the certificate if it is not automatically issued (depends on the template used).
after that you can retrieve & accept the the certificate:

certreq -config mycaserver\myca -retrieve myidreturendfromsubmitcommand certnew.cer
certreq -accept certnew.cer

After that, you have a certificate with multiple SAN's in your computers machine store (we specified MachineKeySet) which can be used in IIS.

Just to mention:

It's easy to add multiple Websites to IIS using hostheaders, but if you want to use SSL on those sites you have to add the SSL binding. The easiest i found was using the commandline. the commands depend on the version of your IIS.


cscript.exe c:\inetpub\adminscripts\adsutil.vbs set /w3svc/mysiteid/SecureBindings ":443:myhostheader"

The hostheader is pretty obvious, and the mysiteid can be found when you click on the WebSites node in the IIS manager (Its the Identifier column).


appcmd set site /"mysite" /+bindings.[protocol='https',bindingInformation='*:443:myhostheader]

Friday, 15 May 2009 10:00:26 (Mitteleuropäische Sommerzeit, UTC+02:00)  #    -
Authentication | Certificates | IIS
<2017 December>
About the author/Disclaimer

The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.
Any link on this site may lead to an external website that is not under my control and that external website might show an opinion that is not mine.

© Copyright 2017
Hannes Köhler
Sign In
Total Posts: 39
This Year: 0
This Month: 0
This Week: 0
Comments: 1
All Content © 2017, Hannes Köhler
DasBlog theme 'Business' created by Christoph De Baene (delarou)