none
Configure Windows 2016 CA to accept SAN RRS feed

  • Question

  • Hi

    We have to issue a certificate with SAN. The CSR is generated w/o SAN from an appliance and with the Webserver Certificate Template - Attributes we mentioned the SAN, but the generated certificate not showing SAN attribute. We found we need to run following command to enable it

    certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

    Another article says to run below commands

    certutil –setreg policy\SubjectAltName enabled
    certutil –setreg policy\SubjectAltName2 enabled

    So what we plan is to enable the SAN feature and once we issued the certificate, disable the feature. 

    We are looking for the assistance for the right command to enable & disable SAN with Windows CA

    Thanks in advance



    LMS

    Thursday, November 7, 2019 6:06 AM

All replies

  • Hello,
    Thank you for posting in our TechNet forum.

    According to my knowledge, we can set up SAN on certificate template or when we create CSR file.


    1. On certificate template, we can set up SAN as below:



    2. When we create CSR file, we can set up SAN as below:

    Logon one machine, type certmgr.msc or certlm.msc.

    Right click Personal->All Tasks->Advanced Operations->Create Custom Request...











    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, November 7, 2019 8:47 AM
    Moderator
  • LMS,

    Because the CSR generated by your device without a SAN, the only way to add the SAN is to enable adding the SAN as an attribute of the request (as you have done).

    What I would recommend is the following (based on your findings)

    certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

    restart-service certsvc

    Submit the request and issue the certificate

    certutil -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2

    restart-service certsvc

    The part you are missing is the restart of ADCS to apply the registry change each time.

    Brian


    Thursday, November 7, 2019 4:18 PM
  • Hi,
    If this question has any update or is this issue solved? Also, for the question, is there any other assistance we could provide?



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, November 11, 2019 9:45 AM
    Moderator
  • Hi

    We followed the same steps that is mentioned by Daisy (steps 2), then imported the request as base 64. Then 

    run below command to generate the certificate

    certreq -attrib "CertificateTemplate:WebServerCustomized" -submit New-Cert Cert-Req.cer Certnew-ok.pfx

    Now import the certificate and provide it to the owner


    LMS

    Tuesday, November 12, 2019 1:36 PM
  • Hi,
    Thank you for your update and sharing.

    Also, for the question, is there any other assistance we could provide?

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, November 13, 2019 10:28 AM
    Moderator
  • Hi,
    I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.
    Thanks for your time and have a nice day!



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 15, 2019 2:16 AM
    Moderator