This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 28.000000000000004%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EG%3C/text%3E%3C/svg%3E)
Hi
I have a powershell script that will obtain a certificate from our Enterprise CA that works well. That being said, I am trying to include a parameter that will provide me with an IP address in the subject alternate name field. Anything I put after the -DnsName parameter gets included as a DNS name, not an IP Address. I need the IP Address to appear in the SAN list as IP Address = x.x.x.x, not DNS Name=x.x.x.x - otherwise the browser will throw an error if I access it via IP Address
The cmdlet I'm using is get-certificate. I use different variables to tie it all together and they work - again, I just need an IP Address in my Subject Alternate Name field.
Get-Certificate -Url https://serverpath/pathtoCEP -Credential $cert -Template StandAlone -CertStoreLocation Cert:\LocalMachine\my -SubjectName cn=$subject -Dns=$subject
I've attached an image to clarify what I'm talking about. The image shows the end result of what I want (ignore the rfc822 stuff)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 30%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
I'd done something which may help with this but its a much longer script but would give you a lot more flexibility.
Consider creating the CSR manually yourself and then using this with the Get-Certificate command rather than specifying the DNS on the commandline.
Take a look at this GitHub example - Not mine but the closest example I could find of the type of thing I mean - https://gist.github.com/paschott/966f5ae8b1eda5efce874914d95aafd9
I'm doing something similar with OpenSSL to create requests I can use to fire over to DigiCert for creating duplicates from a wildcard and its been working well for my use case. I haven't tried this myself on our Internal PKI but I didn't spot anything which jumps out to make me think this isn't something which might work.
Thanks for the reply. We are automating hundreds of certificate requests for mobile devices so generating the CSR manually wouldn't work. I've thought about using a script to create a template (.inf) file but even that would get tedious after a hundred uses.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 74%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
There's no reason you can't modify and parameterize the Generate-CSR.ps1 file that @DaveK suggested. Whether you need one or one thousand certs that use "ipaddress" type SANs, you aren't going to be able to use the Get-Certificate cmdlet to do it.
Maybe my choice of words isn't ideal there, I've used CSR's as I'm submitting to a external provider but in your case, I see no reason why you can't dynamically create the .inf files and submit the requests just like in the example on github.
I'm curious in case I'm misunderstanding something so bear with me but how would scripting the creation of the .inf files to automate the requests become tedious after a hundred uses?
In your existing solution mentioned in your initial post, do you run the script once per required certificate? or are the IP's etc fed into a loop which produced a number of certs for you?