Backtrack:  
 
by lunarg on March 13th 2024, at 14:19

You can use the CertReq command line tool to request SAN SSL certificates. This can be useful where you have an internal (web)server which also needs to be available using another (alternate) DNS name.

First create a template file you can use, specifying the required parameters. Save it with a name, e.g. request.inf and save it to a temporary (work) folder (or simply your desktop):

;----------------- request.inf -----------------
[Version]

Signature="$Windows NT$"

[NewRequest]

Subject = "CN=SERVER1.domain.com, OU=Some OU, O=Organization, L=City, S=State, C=US"
;Subject = "CN=SERVER1.domain.com"
KeySpec = 1
KeyLength = 2048
; Can be 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft Strong Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication

[RequestAttributes]
CertificateTemplate=WebServer

[Extensions]
2.5.29.17 = "{text}"
_continue_ = "dns=server1.domain.com&"
_continue_ = "dns=server.domain.com"

Adjust the following parameters in the file:

  • Adjust Subject so it matches the FQDN of the server itself. If you are creating the request for an AD-joined server and are using a Windows Enterprise CA (AD Certificate Services), you can also only specify the CN (second line in the file, uncomment/comment with ; accordingly).
  • In the Extensions section, adjust and add all SANs you need. Ensure that the each line except for the last has an &" ending the line.

Next, open a command prompt, and navigate to the folder where you saved the INF-file. Run a series of commands to create, submit and accept the certificate request:

  1. Create a new certificate signing request. This also creates a private key and stores it in the local computer certificate store:
    certreq -new request.inf server1.req
  2. If your server is AD-joined, submit the certificate to the AD CS:
    certreq -submit server1.req
    You will be prompted to select an AD CS, even if there's only one. You will also be asked to save a file, which is the signed certificate file. Save it to the same folder and name it, e.g. server1.cer.
  3. Accept the certificate and store it as a certificate with private key in the local computer certificate store:
    certreq -accept server1.cer

You can now use the certificate in your applications on that server. Optionally, you can export the certificate to PFX and use it elsewhere.