Request SSL Certificate With a Subject Alternative Name (SAN) via enterprise CA with a GUI

For those that want to quickly request a new SSL certificate via your Enterprise Certificate Authority, using a GUI instead of certutil commands, here is a tutorial on how to do so.

  1. Login to the server you want the SSL cert with the SAN address.
  2. Click Start->Run->MMC
    mmc
  3. Click File->Add/Remove Snap-Ins
    mmc - add-remove snap-in
  4. Select Certificates and click Add >
    mmc - add-remove-snap-in-certificates
  5. Select Computer account and click Next >
    certificates snap-in computer account
  6. Click Finish
    certificates snap-in local computer
  7. Click OK
    add-remove snap-ins local certificates
  8. Expand Certificates (Local Computer)->Personal->Certificates
    mmc - personal certificates
  9. Right click on the right pane and select All Tasks -> Request New Certificate…
    mmc - personal certificates request
  10. Click Next on the Certificate Enrollment screen
    certificate enrollment welcome
  11. Select Active Directory Enrollment Policy and click Next
    certificate enrollment policy
  12. Check what type of certificate you would like to request and click on the “Click here to configure settings.” link
    certificate enrollment selected policy

    1. Note: you must have configured a template for this link to show up.  By default you will only see Computer, which will not allow you to request the certificate with the SAN address
  13. On the certificate properties page, enter in the following info for the Subject name
    1. Common name
    2. Country
    3. Locality
    4. Organization
    5. Organization Unit
    6. State
  14. On the certificate properties page, enter in the following info for the Alternative Name
    1. DNS of the FQDN (common name)
    2. DNS of the SAN name (short name)
  15. You should now have something like this
    certificate request - properties
  16. Optionally, click on the Private Key tab, expand Key options, and check Make private key exportable
    certificate request - private key exportable
  17. Click OK on the Certificate Properties window
  18. Click Enroll
    certificate enrollment - enroll
  19. Click Finish once the request has been signed
    certificate enrollment - success

At this point, you can export the certificate from the machine or have your application reference it.

Leave a Reply

Your email address will not be published. Required fields are marked *