How to Request a Certificate With a Custom Subject Alternative Name
Updated: May 2, 2013
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 Foundation, Windows Server 2008 R2, Windows Server 2008 R2 Foundation, Windows Server 2012, Windows Server 2012 R2
This guide describes procedures for requesting a certificate that includes custom subject alternative names (SANs) and provides guidance for choosing which procedures should be used.
The use of Secure Sockets Layer/Transport Layer (SSL/TLS) for secure communications is common to many Internet and enterprise server technologies. A valid server authentication certificate is a fundamental requirement of SSL/TLS protocols.
The use of SANs in server authentication certificates enables a single certificate to be bound to multiple names on a single computer; for example, a Web server might be identified by multiple DNS names. Also, multiple computers might host a Web site and each computer can request a certificate with the site's DNS name in the SAN.
Using this guide
This guide describes security best practices for allowing custom SANs in certificates and provides procedures that can be used to request a certificate with a SAN.
This guide includes the following sections:
Security best practices for allowing SANs in certificates
Using the Certificate Enrollment wizard (for computers running Windows Server 2008, Windows Vista, or later)
Using Certreq.exe
For some combinations of client computer operating system and CA, two different procedures can be used: one procedure using the command-line application Certreq.exe and another procedure using either the Certificate Enrollment wizard or the CA Web enrollment pages. The choice is a matter of preference, experience with the applications being used, number of certificates, and the requirements of your organization.
Certreq.exe can be used with any of the listed combinations of client and CA. However, SANs can be specified by using three different methods depending on your client computer operating system version and CA type. Procedures are described for all three methods.
This guide does not describe procedures that use CA Web enrollment pages. Using CA Web enrollment pages and SAN attributes requires EDITF_ATTRIBUTESUBJECTALTNAME2 to be enabled on your CA. Review Security best practices for allowing SANs in certificates before enabling EDITF_ATTRIBUTESUBJECTALTNAME2.
For procedures describing how to use CA Web enrollment pages to add SAN attributes to certificate requests, see article 187306 in the Microsoft Knowledge Base. The procedures are the same for a Web server certificate and a secure LDAP certificate.
If you have a high number of certificates to request, Certreq.exe can be used in a script or batch file to automate the certificate request procedures. Use the procedures and commands described in this guide as examples.
For programmatic automation of certificate request processes, see Creating Certificate Requests By Using Certificate Enrollment Control.
This guide does not provide guidance for scripting or automation.
Security best practices for allowing SANs in certificates
The following are security best practices for allowing SANs in certificates:
In general, the use of user-defined SANs can increase the risk of impersonation attacks because it allows a user to specify arbitrary names in a certificate request. Because user input can be abused by persons with malicious intent, precautions should be taken to mitigate the risks associated with the use of user-defined SANs and protect the integrity of your public key infrastructure (PKI).
Certificate requests that contain SANs should be held in a pending state until they can be reviewed by a certificate manager. For information about configuring certificate templates to require certificate manager approval, see Issuance Requirements.
Implement administrative procedures for reviewing pending certificate requests and verifying the requester is authorized to use the requested subject names.
Implement separation of duties and role-based administration to ensure that individuals who can request certificates with SANs cannot also issue them. See Implement Role-Based Administration.
Restrict usage of SANs to only those individuals that require it, such as administrators who install Web server certificates. For information about configuring certificate template security, see Issuing Certificates Based on Certificate Templates.
Do not enable EDITF_ATTRIBUTESUBJECTALTNAME2 on an enterprise CA. If this is enabled, user-defined SANs are allowed in every certificate request.
Whenever possible, specify a SAN by using certificate extensions instead of request attributes to avoid enabling EDITF_ATTRIBUTESUBJECTALTNAME2.
If you must enable EDITF_ATTRIBUTESUBJECTALTNAME2, consider adding to your PKI a standalone CA that issues only certificates with SANs.
If you must use SAN attributes because your server that requires a certificate with a SAN is running Windows Server 2003, consider completing certificate enrollment procedures on a computer that is running Windows Server 2008, Windows Vista, or later.
Using the Certificate Enrollment wizard
The Certificate Enrollment wizard can be used to include SANs in a certificate request. The Certificate Enrollment wizard can submit the request to an enterprise CA, or the request can be saved to a file and submitted to a standalone CA in your organization, a public CA, or another CA product.
Understand your CA procedures and requirements for certificate requests. In particular, you should confirm the following before creating a certificate request:
Cryptographic service provider (CSP)
Supported request formats: CMC, PKCS #7, or PKCS #10
The Certificate Enrollment wizard is available beginning with computers running Windows Server 2008 or Windows Vista. The wizard can be used to submit certificate requests to enterprise and standalone CAs running Windows Server 2003 or later.
Procedures are described for using the Certificate Enrollment wizard with an enterprise CA or standalone CA. Use the procedure that is appropriate for your CA type.
You must be a member of the local Administrators group to complete these procedures.
Using the Certificate Enrollment wizard with an enterprise CA
Complete the following procedure to request a certificate with a SAN for a computer running Windows Server 2008 or later. You must use an enterprise CA running Windows Server 2008 or later.
The Web Server certificate template is used as an example in the following procedure. Use the template that is appropriate for your environment. The account used to create the request must have Read and Enroll permissions on the certificate template. The template must be configured to accept user-defined SANs.
To use the Certificate Enrollment wizard with an enterprise CA
Log on to the server as a member of the local Administrators group.
Click Start.
In the Search programs and files box, type mmc.exe, and press ENTER.
On the File menu, click Add/Remove Snap-in.
In the list of available snap-ins, click Certificates, and then click Add.
Click Computer account, and click Next.
Click Local computer, and click Finish.
Click OK.
In the console tree, double-click Certificates (Local Computer), and then double-click Personal.
Right-click Personal, point to All Tasks, and then click Request New Certificate to start the Certificate Enrollment wizard.
Click Next.
Click Next.
Select the Web Server template. Click the warning icon below More information is required to enroll for this certificate. Click here to configure these settings.
Note the warning icon on the Subject tab. This tells you what type of information is required.
Note
Because SSL/TLS does not require a Subject name when a SAN extension is included, the Subject name can be empty. If you are using another protocol, verify the certificate requirements. To use an empty Subject name, skip steps 15 and 16.
In the Subject name area under Type, click Common Name.
In the Subject name area under Value, enter the fully qualified domain name of the server, and then click Add.
In the Alternative name area under Type, click DNS.
In the Alternative name area under Value, enter the fully qualified domain name of the server, and then click Add.
Repeat steps 17 and 18 above for each additional SAN that you require. Click OK when finished.
Note
If you are requesting a certificate for a computer other than your client computer, the private key must be exportable. To specify that the private key is exportable, click the Private Key tab, click the Key Options arrow, and click Make private key exportable. The CA must also be configured to support exportable private keys.
Click Enroll.
After enrollment succeeds, click Finish.
Using the Certificate Enrollment wizard with a standalone CA
Complete the following procedure to create a certificate request with a SAN.
The certificate request is saved to a file that can be submitted to a standalone CA in your organization, a public CA, or another CA product that accepts certificate requests as defined in IETF RFC 4211.
To use the Certificate Enrollment wizard with a standalone CA
In the Certificates snap-in, right-click the Personal folder, point to All Tasks, point to Advanced Operations, and then click Create Custom Request.
This will start the Certificate Enrollment wizard.
Click Next.
Click Proceed without enrollment policy, and then click Next.
In the Template list, click either (No template) CNG key or (No template) Legacy key. (No template) CNG key will ensure that the private key will be generated by the new Cryptography Next Generation key storage provider (KSP) and may not be usable by all applications. To ensure interoperability, click (No template) Legacy key, which will use the CAPI2 cryptographic service provider (CSP).
For Request format, click either PKCS #10 or CMC. PKCS #10 is generally accepted by all CAs. If you will not submit the custom request to a Microsoft standalone CA, check with your CA vendor to determine if the CMC format is supported.
Click Next.
Click the Details arrow, and then click Properties. You will need to configure all the certificate request options so that the issued certificate will be suitable for TLS/SSL.
On the Subject tab:
Note
Because SSL/TLS does not require a Subject name when a SAN extension is included, the Subject name can be empty. If you are using another protocol, verify the certificate requirements. To use an empty Subject name, skip steps 8a and 8b.
1. In the **Subject name** area under **Type**, click **Common Name**.
2. In the **Subject name** area under **Value**, enter the fully qualified domain name of the server, and then click **Add**.
3. In the **Alternative name** area under **Type**, click **DNS**.
4. In the **Alternative name** area under **Value**, enter the fully qualified domain name of the server, and then click **Add**.
5. Repeat steps c and d above for each SAN you want to specify.
On the Extensions tab:
Click the Key usage arrow. In the Available options list, click Digital signature, and then click Add. Click Key encipherment, and then click Add.
Click the Extended Key Usage (application policies) arrow. In the Available options list, click Server Authentication and Client Authentication, and then click Add.
On the Private Key tab:
Click the Cryptographic Service Provider arrow, and verify the following:
If you selected CNG key in step 4 above, the RSA, Microsoft Software Key Storage Provider is enabled.
If you select Legacy key in step 4 above, the Microsoft RSA SChannel Cryptographic Provider is enabled.
Click the Key options arrow. In the Key size list, select a key size. If desired, select the Make private key exportable check box. Do not select either the Allow private key to be archived or Strong private key protection check box.
Click the Select Hash Algorithm arrow. In the Hash Algorithm list, select the desired hash algorithm.
Warning
The specified hash algorithm is used in the request. You must specify a hash algorithm that is compatible with your client computer and CA.
4. Click the **Key permissions** arrow. If the application or service runs as Network Service, grant the Network Service account Read permission. If the application or service that will use this certificate runs as Local System, no permissions changes are required.
Click OK.
Click Next.
Enter a path and file name indicating where the request file will be saved.
Select the Base 64 format.
Click Finish.
Next, submit the certificate request and complete certificate enrollment by using Certreq.exe. See Completing certificate enrollment by using Certreq.exe.
Using Certreq.exe
Certreq.exe is a command-line tool that is used to perform several certificate enrollment operations.
This section includes the following procedures:
Creating a RequestPolicy.inf file
Customizing RequestPolicy.inf for your environment
Generating a SAN extension by using MakeSanExt.vbs
Creating a certificate request by using Certreq.exe
Completing certificate enrollment by using Certreq.exe
Creating a RequestPolicy.inf file
To create a new certificate request, Certreq.exe reads certificate request settings from a text file specified by the user. For example purposes, this guide uses the file name RequestPolicy.inf.
Complete the following procedure to create a certificate request policy settings file named RequestPolicy.inf. After saving the file, edit the settings by completing the procedure Customizing RequestPolicy.inf for your environment.
To create a RequestPolicy.inf file
Click Copy Code at the top of the code section.
Start Notepad.
On the Edit menu, click Paste.
On the File menu, click Save.
Type a path for the file, type the file name RequestPolicy.inf, and click Save.
[Version]
Signature="$Windows NT$"
[NewRequest]
Subject = "CN=www01.fabrikam.com" ; Remove to use an empty Subject name.
;Because SSL/TLS does not require a Subject name when a SAN extension is included, the certificate Subject name can be empty.
;If you are using another protocol, verify the certificate requirements.
EncipherOnly = FALSE ; Only for Windows Server 2003 and Windows XP. Remove for all other client operating system versions.
Exportable = FALSE ; TRUE = Private key is exportable
KeyLength = 2048 ; Valid key sizes: 1024, 2048, 4096, 8192, 16384
KeySpec = 1 ; Key Exchange – Required for encryption
KeyUsage = 0xA0 ; Digital Signature, Key Encipherment
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
RequestType = PKCS10 ; or CMC.
[EnhancedKeyUsageExtension]
; If you are using an enterprise CA the EnhancedKeyUsageExtension section can be omitted
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
OID=1.3.6.1.5.5.7.3.2 ; Client Authentication
[Extensions]
; If your client operating system is Windows Server 2008, Windows Server 2008 R2, Windows Vista, or Windows 7
; SANs can be included in the Extensions section by using the following text format. Note 2.5.29.17 is the OID for a SAN extension.
2.5.29.17 = "{text}"
_continue_ = "dns=www01.fabrikam.com&"
_continue_ = "dn=CN=www01,OU=Web Servers,DC=fabrikam,DC=com&"
_continue_ = "url=https://www.fabrikam.com&"
_continue_ = "ipaddress=172.31.10.134&"
_continue_ = "email=hazem@fabrikam.com&"
_continue_ = "upn=hazem@fabrikam.com&"
_continue_ = "guid=f7c3ac41-b8ce-4fb4-aa58-3d1dc0e36b39&"
; If your client operating system is Windows Server 2003, Windows Server 2003 R2, or Windows XP
; SANs can be included in the Extensions section only by adding Base64-encoded text containing the alternative names in ASN.1 format.
; Use the provided script MakeSanExt.vbs to generate a SAN extension in this format.
2.5.29.17=MCaCEnd3dzAxLmZhYnJpa2FtLmNvbYIQd3d3LmZhYnJpa2FtLmNvbQ==
[RequestAttributes]
; If your client operating system is Windows Server 2003, Windows Server 2003 R2, or Windows XP
; and you are using a standalone CA, SANs can be included in the RequestAttributes
; section by using the following text format.
SAN="dns=www01.fabrikam.com&dns=www.fabrikam.com&ipaddress=172.31.10.130"
; Multiple alternative names must be separated by an ampersand (&).
CertificateTemplate = WebServer ; Modify for your environment by using the LDAP common name of the template.
;Required only for enterprise CAs.
Customizing RequestPolicy.inf for your environment
When using Certreq.exe and a RequestPolicy.inf file, there are three methods that can be used to specify SAN information in a certificate request.
Identify your client operating system in the following table to determine which methods you can use.
| Windows Server 2008 R2 or later | Windows Server 2008 | Windows Server 2003 R2 | Windows Server 2003 | Windows 7 or later | Windows Vista | Windows XP | |
|---|---|---|---|---|---|---|---|
Add a SAN extension in text format to the Extensions section of RequestPolicy.inf. |
X |
X |
X |
X |
|||
Add a SAN extension in base64-encoded ASN.1 format to the Extensions section of RequestPolicy.inf. |
X |
X |
X |
||||
Add a SAN attribute to the RequestAttributes section of RequestPolicy.inf. |
X |
X |
X |
X |
X |
X |
X |
Warning
Adding a SAN attribute to the RequestAttributes section of RequestPolicy.inf also requires that the CA is configured to accept SAN attributes by enabling EDITF_ATTRIBUTESUBJECTALTNAME2, which can put your PKI at risk for impersonation attacks.
Whenever possible, specify SAN information by using certificate extensions instead of request attributes to avoid enabling EDITF_ATTRIBUTESUBJECTALTNAME2.
Do not enable EDITF_ATTRIBUTESUBJECTALTNAME2 on an enterprise CA.
For more information about risks and mitigations, see Security best practices for allowing SANs in certificates.
After determining which method you will use, complete the following procedure to customize the RequestPolicy.inf file for your environment.
To customize RequestPolicy.inf for your environment
Open the RequestPolicy.inf file with Notepad.
Change the Subject name to match the FQDN of your server.
Note
Because SSL/TLS does not require a Subject name when a SAN extension is included, the Subject name can be empty. If you are using another protocol, verify the certificate requirements.
Add SAN information by completing one of the following steps:
Method 1: Change the text value of the SAN extension. Use the examples in the RequestPolicy.inf file as guidance.
Method 2: Generate base64-encoded SAN information by completing the procedure Generating a SAN extension by using MakeSanExt.vbs.
Method 3: Change the text value of the SAN attribute in the RequestAttributes section.
Remove the example SAN information for the two methods you are not using.
Review the rest of the settings in the file. Using the comments for guidance, change the values of other settings to meet the requirements of your organization and CA. The example values are appropriate for a server authentication certificate.
On the File menu, click Save.
Generating a SAN extension by using MakeSanExt.vbs
Complete the following procedure to generate a base64-encoded SAN extension.
To create and run MakeSanExt.vbs
Click Copy Code at the top of the code section.
Start Notepad.
On the Edit menu, click Paste.
On the File menu, click Save.
Type a path for the file, type the file name MakeSanExt.vbs, and click Save.
At a command prompt, type the following command, and press ENTER:
Cscript MakeSanExt.vbs <FQDN> [<FQDN> … ]
Copy the command output, and paste it into the Extensions section of the RequestPolicy.inf file.
Option Explicit
Dim oArgs
Dim oShell
Dim oFileSystem
Dim oFile
Dim iFile
Dim iLine
Dim sLine
Dim aASNsubstring()
Dim i
Dim n
Dim sASN
Dim bDbg
Const HEX_DATA_LENGTH = 1
Const ASCIIDATA = 2
Const HEXDATA = 3
Const HEX_BLOB_LENGTH = 4
Const HEX_TYPE = 5
bDbg = False
Set oArgs = WScript.Arguments
Set oShell = WScript.CreateObject("WScript.Shell")
Set oFilesystem = CreateObject("Scripting.FileSystemObject")
if oArgs.Count = 0 Then
WScript.Echo "Usage"
Else
Redim aASNsubstring(oArgs.Count-1,5)
For i = 0 to oArgs.Count - 1
aASNsubstring(i, ASCIIDATA) = Trim(oArgs(i))
aASNsubstring(i, HEX_TYPE) = "82"
If bDbg Then WScript.Echo "aASNsubstring(" & i & ",2) = " & aASNsubstring(i, ASCIIDATA)
Next
End If
'##############################################################################
'
' Create the ASN.1 file
'
'##############################################################################
If bDbg Then WScript.Echo "UBound(aASNsubstring,1) = " & UBound(aASNsubstring,1)
For n = 0 to UBound(aASNsubstring,1)
If bDbg Then WScript.Echo "Len(aASNsubstring(n, ASCIIDATA)) = " & Len(aASNsubstring(n, ASCIIDATA))
For i = 1 to Len(aASNsubstring(n, ASCIIDATA))
aASNsubstring(n, HEXDATA) = aASNsubstring(n, HEXDATA) & _
Hex(Asc(Mid(aASNsubstring(n, ASCIIDATA), i, 1)))
Next
If bDbg Then WScript.Echo "aASNsubstring(n, HEXDATA) = " & aASNsubstring(n, HEXDATA)
aASNsubstring(n, HEX_DATA_LENGTH) = ComputeASN1 (Len(aASNsubstring(n, HEXDATA)) / 2)
If bDbg Then WScript.Echo "aASNsubstring(n, HEX_DATA_LENGTH) = " & aASNsubstring(n, HEX_DATA_LENGTH)
'
' Build the ASN.1 blob for DNS name
'
sASN = sASN & _
aASNsubstring(n, HEX_TYPE) & _
aASNsubstring(n, HEX_DATA_LENGTH) & _
aASNsubstring(n, HEXDATA)
If bDbg Then WScript.Echo "sASN = " & sASN
Next
If bDbg Then WScript.Echo "sASN = " & sASN
'
' Write the ASN.1 blob into a file
'
Set oFile = oFilesystem.CreateTextFile(aASNsubstring(0, ASCIIDATA) & ".asn")
'
' Put sequence, total length and ASN1 blob into the file
'
oFile.WriteLine "30" & ComputeASN1 (Len(sASN) / 2) & sASN
oFile.Close
'
' Use certutil to convert the hexadecimal string into bin
'
oShell.Run "certutil -f -decodehex " & aASNsubstring(0, ASCIIDATA) & ".asn " & _
aASNsubstring(0, ASCIIDATA) & ".bin", 0, True
'
' Use certutil to convert the bin into base64
'
oShell.Run "certutil -f -encode " & aASNsubstring(0, ASCIIDATA) & ".bin " & _
aASNsubstring(0, ASCIIDATA) & ".b64", 0, True
'##############################################################################
'
' Create the INF file
'
'##############################################################################
Set iFile = oFilesystem.OpenTextFile(aASNsubstring(0, ASCIIDATA) & ".b64")
Set oFile = oFilesystem.CreateTextFile(aASNsubstring(0, ASCIIDATA) & ".txt")
WScript.Echo ""
iLine = 0
Do While iFile.AtEndOfStream <> True
sLine = iFile.Readline
If sLine = "-----END CERTIFICATE-----" then
Exit Do
end if
if sLine <> "-----BEGIN CERTIFICATE-----" then
if iLine = 0 then
WScript.Echo "2.5.29.17=" & sLine
else
WScript.Echo "_continue_=" & sLine
end if
iLine = iLine + 1
end if
Loop
WScript.Echo "Critical=2.5.29.17"
WScript.Echo ""
oFile.Close
iFile.Close
'##############################################################################
'
' Compute the ASN1 string
'
'##############################################################################
Function ComputeASN1 (iStrLen)
Dim sLength
If Len(Hex(iStrLen)) Mod 2 = 0 then
sLength = Hex(iStrLen)
else
sLength = "0" & Hex(iStrLen)
end if
if iStrLen > 127 then
ComputeASN1 = Hex (128 + (Len(sLength) / 2)) & sLength
else
ComputeASN1 = sLength
End If
End Function
Creating a certificate request by using Certreq.exe
A certificate request can be generated by using the Certreq –new command and the RequestPolicy.inf file containing certificate request settings specified by the user.
To create a certificate request by using Certreq.exe
- At a command prompt, type Certreq.exe -new <RequestPolicy.inf><CertificateRequest.req> and press ENTER.
For additional command-line options, type Certreq.exe –new -?. The following table describes the options available.
| Option | Description |
|---|---|
RequestPolicy.inf |
Input file containing request settings. See Creating a RequestPolicy.inf file. |
CertificateRequest.req |
Output file containing the certificate request created by the command. |
Completing certificate enrollment by using Certreq.exe
Complete the following procedure to submit a certificate request to a CA and install the issued certificate on the client computer.
To complete certificate enrollment by using Certreq.exe
Open a command prompt.
Type certreq -submit -config "<ServerName\CAName>" "<CertificateRequest.req>" "<CertificateResponse.cer>" and press ENTER.
Note
If a message is displayed indicating that the certificate request is pending, the certificate must be issued by a certificate manager or CA administrator by using the Certification Authority snap-in. After the certificate is issued, it must be retrieved by using the command in step 3. If the certificate is issued immediately by the CA, the file specified by <CertificateResponse.txt> contains the certificate. Use the command in step 4 to install the certificate into the certificate store.
Type certreq –retrieve -config "<ServerName\CAName>" <RequestID> "<CertificateResponse.cer>" and press ENTER.
Type certreq –accept -config "<ServerName\CAName>" "<CertificateResponse.cer>" and press ENTER.
The following table describes the options available.
| Option | Description | |
|---|---|---|
-config |
The –config option is followed by a string specifying a host name and CA name in the format HostName\CAName. |
|
ServerName |
The name of the server that hosts the CA. |
|
CAName |
The CA name. |
|
CertificateRequest.req |
The path and name of the file containing the certificate request that was created by using either the Certificate Enrollment wizard or the Certreq.exe -new command. |
|
CertificateResponse.cer |
The path and name of the file receiving the issued certificate from the CA. If the certificate request is pending, the file contains a message from the CA indicating the status of the request and the request ID. The request ID is used to retrieve the certificate after it is issued by a certificate manager or CA administrator. |
|
RequestID |
Numeric value used to retrieve a certificate from your CA. The RequestID value is included in the response from the CA when the certificate request is held in a pending state. |