For those that want to quickly request a new SSL certificate via your Enterprise Certificate Authority, using a GUI instead of certutil commands, here is a tutorial on how to do so.
- Login to the server you want the SSL cert with the SAN address.
- Click Start->Run->MMC
- Click File->Add/Remove Snap-Ins
- Select Certificates and click Add >
- Select Computer account and click Next >
- Click Finish
- Click OK
- Expand Certificates (Local Computer)->Personal->Certificates
- Right click on the right pane and select All Tasks -> Request New Certificate...
- Click Next on the Certificate Enrollment screen
- Select Active Directory Enrollment Policy and click Next
- Check what type of certificate you would like to request and click on the "Click here to configure settings." link
- Note: you must have configured a template for this link to show up. By default you will only see Computer, which will not allow you to request the certificate with the SAN address
- On the certificate properties page, enter in the following info for the Subject name
- Common name
- Country
- Locality
- Organization
- Organization Unit
- State
- On the certificate properties page, enter in the following info for the Alternative Name
- DNS of the FQDN (common name)
- DNS of the SAN name (short name)
- You should now have something like this
- Optionally, click on the Private Key tab, expand Key options, and check Make private key exportable
- Click OK on the Certificate Properties window
- Click Enroll
- Click Finish once the request has been signed
At this point, you can export the certificate from the machine or have your application reference it.
