Sunday, March 17, 2013

Requesting new Microsoft Certificate Authority issued certificate with SAN entries using the Certificates MMC console

I’ve been asked several times in the past as to whether using the certificate enrolment webpage of a Microsoft Certificate Authority (https://certServerName/certsrv) was the only way to request certificates with SAN entries and the answer to that is actually no because we can using the Certificates snap-in MMC console as well.  The purpose of this post would be to demonstrate what the process looks like on a Windows Server 2008 server.

Begin by add the Certificates snap-in within the MMC console then navigate to the Certificates folder under the Personal store, right click on the Certificates folder –> All Tasks –> Request New Certificate:

clip_image001

Click next:

clip_image001[4]

Select Active Directory Enrollment Policy and click next:

clip_image001[6]

Choose the template you would like to use for the certificate and click on the More information is required to enroll for this certificate. Click here for configure settings link.  For this example, I duplicated the original Web Server Exportable template and modified the duration of the validity and made it exportable.

clip_image001[8]

From within the Certificate Properties, fill in the fields such as CN, Organizational Unit, Organization, etc. that are required for the certificate:

clip_image001[10]

To enter SAN entries, select DNS under the heading Type in the Alternative name box, then add the SAN (Subject Alternative Names) individually by typing them in and clicking on the Add > button:

image

Once all of the entries for the SAN field has been entered, review the rest of the tabs and continue by clicking the OK button:

image

Proceed with the enrollment:

clip_image001[12]

clip_image001[14]

clip_image001[16]

You should now see the issued certificate with the appropriate SAN entries in your certificate store:

image

imageimage

No comments: