Tuesday, February 7, 2012

Why is my newly deployed Windows Server 2008 R2 Enterprise Root CA (Certificate Authority) unable to issue certificates with SAN (Subject Alternative Name) entries?

Problem

You have just recently deployed a new Windows Server 2008 R2 Enterprise Root CA in your Active Directory and would like to issue certificates with SAN (Subject Alternative Name) entries.  As per the following KB:

How to add a Subject Alternative Name to a secure LDAP certificate
http://support.microsoft.com/kb/931351

… you added the line:

san:dns=citrix-vdi&dns=WEBINTERFACE01.contoso.com&dns=WEBINTERFACE01&dns=WEBINTERFACE02.contoso.com&dns=WEBINTERFACE02

… in the Attributes box but you notice that when you review the certificate’s details tab, you don’t see these entries added in.

Solution

The solution to this problem is to actually configure the CA to accept the SAN attribute.  The first section of the KB article I included above mentions this in the section labeled:

----------------------------------------------------------------------------------------------------------------------------------------------------------------

How to configure a CA to accept a SAN attribute from a certificate request
By default, a CA that is configured on a Windows Server 2003-based computer does not issue certificates that contain the SAN extension. If SAN entries are included in the certificate request, these entries are omitted from the issued certificate. To change this behavior, run the following commands at a command prompt on the server that runs the Certification Authority service. Press ENTER after each command.

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc

----------------------------------------------------------------------------------------------------------------------------------------------------------------

I’m sure some people will probably ask: “Why do you even blogging about this?”  My answer to that question is that the KB article I included doesn’t specify which version of Windows this is for and the only reference to a version of Windows Server is Windows Server 2003 under the Related Support Centers heading.

So to enable your new CA to accept SAN attributes, simply execute the following command:

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc

image

Once the command executes successfully and the CA services has been restarted, proceed with reissuing a certificate with the additional attributes and you should now get the SAN attribute in the details tab:

image

1 comment:

windows server said...

As a Dell employee I think your post is really interesting. The information you shared with us is really useful. Thanks for sharing with us. Keep posting such information.