When creating a Certificate for a web service it is sometimes necessary to use multiple names to ensure the certificate is still valid. For example, if you have a hostname of citrix.mycompany.local, some users might use the short name of Citrix and in doing so will get a certificate error.
To ensure that you allow the certificate to work with multiple hostnames you can add an additional attribute known as the Subject Alternate Name, entries within this attribute are also validated against the destination hostname.
The common way to create a SAN certificate is to use a Certificate template as detailed here. However this can be quite complex for some Administrators, so I thought I’d document how to create a SAN Certificate from the Certificate Manager GUI:-
Launch the Cert management GUI using Start – Run type mmc and then click – File – Add/Remove Snap-in.
Select Certificates and Computer Account
Select the Local Computer
The Certificate management console will then be displayed.
One we have the management console open, we need to create the Request to be signed by the Certificate Authority. As we are requiring a SAN certificate we need to create a custom request; Right Click The certificate folder under personal store – All Tasks – Advanced Operations – Create Custom Request.
This will start the Certificate Enrolment Wizard
Click next in Certificate Enrolment Wizard’s welcome window –
Select “Proceed without enrolment policy” under Custom Request & click next in the Custom Request window
Select (No template) Legacy key & PKCS #10 as request format and Click Next
In Certificate Information Page click the Details icon then Properties. It will open up Certificate Properties window, where we can define different attributes.
On the Generals Tab, Choose a friendly name
Under the Subject tab we can define the primary hostname (Common Name) and the DNS (alternate names). The DNS attributes are where you list all the other hostnames that the cert can be used for.
Under Extension tab select Extended Key Usage; add Server Authentication from the available options.
Under Private Key, select key size. Over here I just left it as default. You may like to select a relevant key size for you corporate policy. Under Key Type select “Exchange“
Then Choose a file name and the request is generated.
The Request can now be sent to the CA for signing.