TransWikia.com

Subject Alternative Name not added to certificate

Server Fault Asked by omni on December 1, 2021

I’m trying to issue a new certificate using the additional attribues field within the Windows CertSrv Web-Enrollment Client.

I added the CSR, picked the template and entered this into the attributes field:

SAN:dns=HOSTNAME&dns=HOSTNAME.DOMAIN.COM&ipaddress=IPADRESS

The request is successful but when I check the signed certificate no “Alternative Names” attribute is added to it. Am I missing something? Maybe a issue with the Template? (used a default Win 2003 level webserver template copy with some custom settings).

/edit
Also I’ve tried to use

certreq -submit -attrib "CertificateTemplate:MYTEMPLATE" <Cert Request.req> -attrib "SAN:dns=HOSTNAME&dns=HOSTNAME2&ipaddress=IPADDRESS"

resulting in the same problem: cert gets generated, but without any SAN attribute.

/edit2
also I’ve set the CA to issue SAN certificates using

certutil -setreg policyEditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

and restarting the CA service. Still: no SANs.

Please note: using req. files and OpenSSL to generate the CSR i’m able to generate certifcates using the CA which have some SANs included. However this option is not valid in my current situation since I’m getting the CSR from an application and i’m not able to manually generate one for the application.

/edit3
I tried using the default webserver certificate WITHOUT any changes and suddenly it worked. So now the question is: what are the template requirements to enable SAN?

2 Answers

There's a good answer here, too, which solved the problem for me: http://terenceluk.blogspot.com/2017/09/adding-san-subject-alternative-name.html

It seems by default the certificate service does not actually accept SubjectAltName input from the web form, for possibly good security reasons. As someone comments on this page - it depends on how well you trust the access controls to your cert services web console.

Answered by Rich B on December 1, 2021

I know this is old, but I've just figured it out myself and thought it might help someone else. I too have been unable to get CA to add the SAN via either the web page or the certreq ... -attrib "SAN:DNS=<FQDN>[&DNS=<FQND2>...]..." format. The SAN attribute was ignored, even though the certificate was issued.

However, I found that it works with this format: certreq -attrib "CertificateTemplate:WebServernSAN:DNS=<Name1>[&DNS=<name2>...][&IPAddress=<IP1>...]" <csr filename> <cer filename>

For example, if you have a certificate request file called HP_VC.csr and you want the subject alternative names to be vc1, vc2, vc1.domain.com, vc2.domain.com, 192.168.1.1, and 192.168.1.2 the command would be:

certreq -attrib "CertificateTemplate:WebServernSAN:DNS=vc1&DNS=vc2&DNS=vc1.domain.com&DNS=vc2.domain.com&IPAddress=192.168.1.1&IPAddress=192.168.1.2" HP_VC.csr HP_VC.cer

The certificate in HP_VC.cer will contain the SAN attribute.

I'm using this for HP Virtual Connect (VC) modules, Onboard Administrators (OA) and iLOs. It should work for any generic situation that needs a certificate with a SAN.

Answered by ERJM on December 1, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP