locked
how to add subject alternative name(s) to certreq command line RRS feed

  • Question

  • I am trying to create certificates for use with HP ilo.

    The default request created is a blob between ---BEGIN CERTIFICATE REQUEST----  and ---END CERTIFICATE REQUEST---.

    In other words not an inf type file that I can edit.

    The certificate created when I use the above request uses the short name of the machine for the Subject Name.  I would like to add the fqdn, and the ip address to the subject alternative name field, so I can connect with either:

     

    shortname, fqdn, or ip address, and not get a certficate error popup.

     

    What is the syntax to do this with certreq?

    Wednesday, January 25, 2012 9:31 PM

Answers

  • To do this, you must enable the Subject Alternative Name option at the CA (this is required because the SAN is not part of the original request, but tagged on during submission of the request.

    certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
    net stop certsvc
    net start certsvc

     

    Then resubmit the reques using the same command as your previous post

    Brian

    • Proposed as answer by Vadims PodansMVP Thursday, January 26, 2012 6:18 AM
    • Marked as answer by Bruce-Liu Monday, January 30, 2012 1:58 AM
    Thursday, January 26, 2012 12:38 AM

All replies

  • Further digging had me construct the following command:

     

    certreq -submit -attrib "CertificateTemplate:HPilo\nSAN:dns=ilo-veeam.mshs.com&ipaddress=10.0.10.27" ilo-veeam.req.txt

     

    Unfortunately the certificate issued did not have any Subject Alternative Name information.

    Wednesday, January 25, 2012 10:01 PM
  • To do this, you must enable the Subject Alternative Name option at the CA (this is required because the SAN is not part of the original request, but tagged on during submission of the request.

    certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
    net stop certsvc
    net start certsvc

     

    Then resubmit the reques using the same command as your previous post

    Brian

    • Proposed as answer by Vadims PodansMVP Thursday, January 26, 2012 6:18 AM
    • Marked as answer by Bruce-Liu Monday, January 30, 2012 1:58 AM
    Thursday, January 26, 2012 12:38 AM
  • However, I would advice to avoid this flag usage, because it is unsafe. General guidance here is described here:

    http://technet.microsoft.com/en-us/library/ff625722(WS.10).aspx


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki
    Thursday, January 26, 2012 6:18 AM