Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, November 6, 2012 11:16 AM
Hi
I am looking for some help in creating a certificate request on windows server 2008 and IIS 7.
The certificate request needs to include two subject alternative names which I can then send to our certificate authority to process.
I was just wondering if someone could please send me instructions on how to do this.
I have no problem creating a certificate without SAN's.
Thanks
Hod
All replies (4)
Wednesday, November 7, 2012 9:33 PM ✅Answered
Hi
How do you generate your request without the SAN
GUI or certreq or via a template ?
via certreq you need to create a .inf has configuration file for the request
here a ex:
[Version]
Signature="$Windows NT$"
[NewRequest]
Subject = "CN=www.acme.com,OU=WebServer,O=Acme inc,ST=QC,C=US,DC=acme,DC=com"
;EncipherOnly = FALSE
Exportable = FALSE ; TRUE = Private key is exportable
KeyLength = 2048 ; Valid key sizes: 1024, 2048, 4096, 8192, 16384
KeySpec = 1 ; Key Exchange – Required for encryption
KeyUsage = 0xA0 ; Digital Signature, Key Encipherment
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
RequestType = PKCS10 ; or CMC.
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
;OID=1.3.6.1.5.5.7.3.2 ; Client Authentication // Uncomment if you need a mutual TLS authentication
[Extensions]
SAN="dns=srv01.acme.com&url=www.acme.com&dns=www.acme.com"
after on the cmd line
this will Generate the request
certreq -new request.inf request.req
take this .req file and make it signed it by you CA
if your CA is Online
the configString is build with the FQDN of the Machine host the CA and the CA name
this will submit and retrieve your request
certreq -submit -config hostname\CAname request.req request.cer
this will install your request signed and create the association with your Key Pair
certreq -accept -machine request.cer
after if you go on the MMC snap-in Certificate and select localMachine, in the personal store you should see your certificate.
Hope this will help you
Stef71
Friday, November 9, 2012 11:50 AM ✅Answered
Apologies for the late update, the CA(not going to name) issued the cert without one of the SAN's that i needed which meant i had to revoke the original request and resubmit.
I followed this technet link to create the certificate: http://technet.microsoft.com/en-us/library/ff625722(v=ws.10).aspx
and followed the "To use the Certificate Enrollment wizard with a standalone CA" section.
Cert is now in place and all SAN's catered for.
Thanks for the reply Stef71
Your solution would have also have worked great for me.
Tuesday, November 6, 2012 5:33 PM
Creating SAN certificates using a Server 2008 Certification Authority (CA)
Certificate related queries, post here.
http://social.technet.microsoft.com/Forums/eu/winserversecurity/threads
Thanks
Tuesday, November 6, 2012 6:10 PM
qaali logo