Create a Subject Alternative Name certificate with Active Directory Certificate Services
Last modified at 5/7/2014 6:44 PM by Koen Zomers
It is possible to create a Subject Alternative Name (SAN) certificate using the Active Directory Certificate Services that come with Windows server versions. The advantage of a SAN certificate is that it allows multiple FQDNs to be specified within one certificate and avoid having to use a wildcard certificate which is less secure. Since Microsoft ISA 2006, Microsoft Threat Management Gateway 2010 and many other firewall products only allow one SSL certificate to be used per IP address, this can come in handy to save on having to use additional (public) IP addresses.
In order to create a SAN certificate, follow these steps. This tutorial assumes you already have deployed an Active Directory Certificate Services server on your network and are using Windows 2008 R2. It may very well work on other Windows versions as well, but naming might be different.
If you already have your Active Directory Certificate Services configured to allow SAN certificates to be generated, skip to step 19 for the explanation on how to request a SAN certificate from it.
In the certsrv application, open the node with your certificate authority and click on Certificate Templates
- Log on to your Active Directory Certificate Services server
- Via the start menu, go to Administrative Tools and click Certification Authority
Click right on this Certificate Templates node and click on Manage
In the Certificate Templates Console that opens, look for the template with the Template Display Name Web Server. Click right on it and click on Duplicate Template .
Select the minimum Certificate Authority Windows version used in your environment and click OK. I'll go with Windows Server 2008 Enterprise since I do not have any Windows 2003 Certificate Services servers in my network.
In the Properties of New Template window on the General tab, enter a name that you find suitable for your new template. This name will not show up anywhere in the certificate or during the certificate request and is only to identify the template in the templates store, so it really does not matter mutch what you make of it. I'll enter SAN Web Server. Also make sure you check Publish certificate in Active Directory .
Go to the Security tab. Add the computers in your domain that will be requesting SAN certificates from your Certification Authority. Beware, not the users, but the computers. You may get out of this one easily by adding <DOMAIN NAME>\Domain Computers to the list which will grant all computers in your Active Directory domain access to request SAN certificates from your certificate authority. This isn't the most secure option obviously. Provide the computer(s) you add to the list with access to Read, Write and Enroll.
You may change other settings on other tabs as you wish. If you want to be able to export the created certificates to other servers, make sure you check Allow private key to be exported on the Request Handling tab. Click OK once done. You will now see your new template added to the list with templates. Next thing to do is request the SAN certificate from your Active Directory Certificate Services server. Log on to the server on which you want to use the certificates. For example on your IIS webserver or on your ISA/TMG gateway server. Open the start menu, click on Run and enter mmc followed by enter
Once the window named Console1 has opened, go to the File menu and click on Add/Remove Snap-in
On the left side under Available snap-ins. select Certificates and click on the Add > button in the center of the window
In the Certificates snap-in popup, choose Computer account and click on Next >
In the next screen, leave Local computer selected and click Finish
You will now see the certificates snap-in has been added to the list with Selected snap-ins. Click OK to close the window.
Expand the Certificates (Local Computer) node, under that the Personal node and under that click the Certificates node
If you're doing this on a Microsoft Threat Management Gateway 2010 server, you need to make sure your server can communicate with your Active Directory Certification Services server first. By default TMG does not allow the required DCOM over RPC communication. If you're not requesting the certificates on
a ISA or TMG server, skip this step and proceed with the next one. To verify if RPC calls are being blocked, open up a Command Prompt window and enter:
certutil -ping -config <name of your certificate authority server>
If you get a response like Server could not be reached: The RPC server is unavailable. 0x800706ba (WIN32: 1722). the requests are being blocked.
If you receive a response stating Server <server name> ICertRequest2 interface is alive your server is okay and you can continue with the next step. Otherwhise continue reading this step.
Open up Forefront TMG Management using the link in the start menu.
Once the ForeFront TMG window is open, expand the ForeFront TMG node and click the Firewall Policy node.
Right click the Firewall Policy node, go to All Tasks. click on System Policy and continue clicking on Edit System Policy
In the System Policy Editor window, click on the Active Directory node under Authentication Services and uncheck the box for Enforce strict RPC compliance. Click on OK to close the window.
Click on Apply to apply the change. It may take a few minutes before it actually being applied to your system, even though you will get a notification already that it has been applied. Keep trying the certutil -ping command described above until you get a successful result. Once you do, continue with the next step.
Switch back to the Console1 window with the Certificates snapp-in added to it. Right click on the Certificates node under Certificates (Local Computer) \ Personal. click on All Tasks and click on Request New Certificate
In the Certificate Enrollment wizard, click Next
On the next step, leave Active Directory Enrollment Policy selected and click Next
On the next step, check the box in front of Web Server and click on the More information is required link under it.
In the Certificate Properties popup under Type, select Common name. In the Value field under it, enter the domain name you wish to create the certificate for and click Add >. Under alternative name at Type select DNS and in Value enter the same domain name again and click Add >. Repeat this step for each domain name you want to add to this SAN certificate. If you want to create a wildcard certificate. enter *.<yourdomain> in both Common name and DNS fields, i.e. *.zomers.eu. It is even possible to mix one or more wildcard certificates with one or more specific domain certificates. Do note that *.zomers.eu does not cover https://zomers.eu. You'll need to add zomers.eu as a seperate specific domain. Also note that the last Common name you add to the list will be shown as the primary domain in the certificate, so make sure your most favorable domain is added last.
Switch to the General tab and enter a name that you find identifyable for the certificate that you're creating. This may be anything you like. The same goes for the description which is optional and may be anything.
If you want the certificate to be exportable to another server, IF because you don't have to and it is safer not to do this so only do this if you need this, go to the Private Key tab and expand the Key options section. Under it, check Make private key exportable. In order to be able to do this, you need to have this option selected at step 9 in the template.
On the Certification Authority tab, make sure the right certification authority is selected which you want to sign your certificate request. If you only have one certificate services server in your network, you will see that it is selected by default.
Click OK to close the Certificate Properties window and click Enroll in the Certificate Enrollment window to file the request.
Click Finish to close the Certificate Enrollment wizard. Your certificate has now been created and is ready to be used.
Now use the certificate to configure ISA/TMG or your webserver the way you are used to. If you're unfamiliar with how to do this, there are multiple tutorials on this matter to be found on the internet. Once you have your webserver set up to use the certificate, you can enjoy secure encrypted browsing to your webserver:
How to Get a Birth Certificate from the National Statistics Office
How can I find out if I’m on the birth certificate and if I have parental rights?
How can I get a death certificate with the cause of death of my former spouse if we share a child in common?