How to Create a San Certificate using Certificate Manager

Leave a comment
Share

When creating a Certificate for a web service it is sometimes necessary to use multiple names to ensure the certificate is still valid. For example, if you have a hostname of citrix.mycompany.local, some users might use the short name of Citrix and in doing so will get a certificate error.

To ensure that you allow the certificate to work with multiple hostnames you can add an additional attribute known as the Subject Alternate Name, entries within this attribute are also validated against the destination hostname.

The common way to create a SAN certificate is to use a Certificate template as detailed here. However this can be quite complex for some Administrators, so I thought I’d document how to create a SAN Certificate from the Certificate Manager GUI:-

 

Launch the Cert management GUI using Start – Run type mmc and then click – File – Add/Remove Snap-in.

 

Screen Shot 2015-02-20 at 10.27.20

Select Certificates and Computer Account

Screen Shot 2015-02-20 at 10.27.32

 

Select the Local Computer

Screen Shot 2015-02-20 at 10.27.39

The Certificate management console will then be displayed.

Screen Shot 2015-02-20 at 10.28.10

 

One we have the management console open, we need to create the Request to be signed by the Certificate Authority. As we are requiring a SAN certificate we need to create a custom request; Right Click The certificate folder under personal store – All Tasks – Advanced Operations – Create Custom Request.

 

2015-02-20 10_36_32

 

This will start the Certificate Enrolment Wizard

Click next in Certificate Enrolment Wizard’s welcome window –

Select “Proceed without enrolment policy” under Custom Request & click next in the Custom Request window

Select (No template) Legacy key & PKCS #10 as request format and Click Next

 

Screen Shot 2015-02-20 at 10.44.13

Screen Shot 2015-02-20 at 10.44.20

Screen Shot 2015-02-20 at 10.44.49

In Certificate Information Page click the Details icon then Properties. It will open up Certificate Properties window, where we can define different attributes.

Screen Shot 2015-02-20 at 10.44.56

On the Generals Tab, Choose a friendly name

Screen Shot 2015-02-20 at 10.51.46

Under the Subject tab we can define the primary hostname (Common Name) and the DNS (alternate names). The DNS attributes are where you list all the other hostnames that the cert can be used for.

2015-02-20 11_03_24-Screen Shot

 

Under Extension tab select Extended Key Usage; add Server Authentication from the available options.

Screen Shot 2015-02-20 at 10.53.42

Under Private Key, select key size. Over here I just left it as default. You may like to select a relevant key size for you corporate policy. Under Key Type select “Exchange“

Screen Shot 2015-02-20 at 10.54.39

Then Choose a file name and the request is generated.

Screen Shot 2015-02-20 at 10.54.59

 

The Request can now be sent to the CA for signing.

Leave a Reply

Your email address will not be published. Required fields are marked *