Generate SAN certificate request using Certreq
This is the recommended method to generate a certificate request CSR that includes SANs - without enabling the highly insecure EDITF_ATTRIBUTESUBJECTALTNAME2 option on a Windows CA - using a template file and certreq. This is condensed from the very confusing Microsoft doco, which includes methods for generating a CSR on pre-2008 OSes that hopefully won't pertain to anything required now. (You can generate a CSR on a more modern OS, submit, and export the cert plus private key for transfer to an ancient OS if necessary, as long as the encryption method and key length don't exceed the OS capabilities.)
This example is for a typical SSL server cert, such as for a web server.
1. Create CSR template
Create a text file with the required certificate info per the template below.
- A Subject name is not always required or desirable for SAN certs
- The Extensions section with OID 2.5.29.17 is required to define the SAN(s). Each FQDN must be formatted as depicted. (It is not recommended to include SAN types other than DNS names for SSL SANs.)
- The [Request Attributes] section and template name can be omitted if you're not submitting to a Windows Enterprise CA.
[Version]
Signature="$Windows NT$"
[NewRequest]
Subject = "CN=www01.fabrikam.com" ; Remove to use an empty Subject name.
;Because SSL/TLS does not require a Subject name when a SAN extension is included, the certificate Subject name can be empty.
;If you are using another protocol, verify the certificate requirements.
Exportable = FALSE ; TRUE = Private key is exportable
KeyLength = 2048 ; Valid key sizes: 1024, 2048, 4096, 8192, 16384
KeySpec = 1 ; Key Exchange – Required for encryption
KeyUsage = 0xA0 ; Digital Signature, Key Encipherment
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
RequestType = PKCS10 ; or CMC.
[EnhancedKeyUsageExtension]
; If you are using an enterprise CA the EnhancedKeyUsageExtension section can be omitted
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
[Extensions]
; SANs are included by using the following text format. Note 2.5.29.17 is the OID for a SAN extension.
2.5.29.17 = "{text}"
continue = "dns=www01.fabrikam.com&"
continue = "dns=myserver.fabrikam.com&"
[RequestAttributes]
CertificateTemplate=WebServer ; Modify for your environment by using the LDAP common name of the template.
;Required only for enterprise CAs.
2. Create encoded CSR file
- Use Certreq.exe to generate the encoded CSR file from the template. Once generated, the CSR can be submitted to any CA to request a certificate.
Certreq.exe -new <template text> <CSR file>
e.g.
Certreq.exe -new SAN.inf SAN.req
- Validate the CSR contains the correct info by running
certutil -dump SAN.req and checking the output for the properly formatted SANs.
This procedure also generates the private key on the computer where the request is created. If this computer will have the cert installed locally, there's no need to export the private key - it's generally preferable to generate the CSR on the destination computer (if there's only one, naturally).
3. Submit CSR to Windows CA
- If you're submitting to a Windows CA, run the following to submit the CSR and export the resulting certificate file (if the CA immediately issues it). If the CA responds with an error or status indicating intervention is required (e.g. the CA admin must issue the cert manually), note the request number.
Certreq.exe -submit <CSR file> <Certificate file>
e.g.
Certreq.exe -submit SAN.req SAN.cer
The CSR can be copied to any computer that has connectivity to the CA server for submission (including naturally the CA server itself), if the client machine does not have connectivity.
If you know the Enterprise CA server name, include -config CAserverFQDN\CAserver immediately after -submit. Otherwise, you'll get a popup prompting you to select the CA server instance (even if there's just one in the environment).
If you don't specify an output file name, you will be prompted for one if the certificate is issued automatically.
If the CSR was generated without template information and you need to submit it to an enterprise CA, you can specify the template on the commandline using the -attrib parameter
Certreq.exe -submit -attrib "CertificateTemplate:WebServer" SAN.req SAN.cer
4. (if desired) Install new certificate
- To install the new cert into the Local Machine cert store from the command line, run
Certreq.exe -accept -machine SAN.cer
- Alternatively, just double-click the cert to install it via the GUI.
Create and submit SAN certificate request in Windows GUI to Enterprise CA
If you're more comfortable in the GUI, it's easy to submit a cert request and install a cert in an enterprise AD environment with a known web server template.
- Begin by running
Certlm.msc.
- Right-click Personal Certificates > All Tasks > Request New certificate
- Click through the next two screens until you reach the list of templates published in Active Directory
- Check the box by the appropriate template for web services in your environment (e.g. Web Server) - note that your account permissions will limit what you can see here.
- Open the Details dropdown and select Properties. Alternatively, there may be a link with the text "More information is required to enrol for this certificate..."
- On the Subject tab in the Certificate Properties, enter a suitable Common name for the Subject, if required
- In the Alternative names section, select Type: DNS and add the FQDNs for the desired SANs.
- Options for key usage and so on should be preconfigured on the other tabs.
- Check for any further customisations that may be required on the other tabs (e.g. export private key - this is not required if you're generating the request on the same computer that will be using the cert, which is preferred)
- Click OK to close the Certificate properties window.
- Click Enroll in the wizard - the certificate should be autoenrolled and installed in the machine account Personal certificate store.
Any errors are likely due to constraints in the certificate template - e.g. "export private key" may be blocked or require the CA admin to approve issuance (per best practice). Check with the CA admin. For highly-firewalled environments, it's also possible that the client machine doesn't have RPC access to the CA server, which is required for this method.
Generate custom non-Enterprise SAN CSR in Windows GUI
This brief guide is for generating a custom CSR that is intended to be submitted to a non-Enterprise CA.
- Begin by running
certlm.msc
- Right-click Personal Certificates > All Tasks > Advanced Operations >
Create Custom Request
- When the wizard opens, click Next > Certificate Enrolment. Select "Proceed without enrolment policy".
- Select Template: (no template) CNG Key or Legacy key, depending on
your requirement
- In the Certificate Information screen, click on the
Details dropdown and open the request Properties
- On the Subject tab in the Certificate Properties, enter a suitable Common Name for the Subject, if required
- In the Alternative names area, select Type: DNS and add the FQDNs for the desired SANs
- In the Extensions tab, expand Key Usage and add "Digital Signature". Expand Extended Key Usage and add "Server Authentication".
- In the Private Key tab, under Key Options, select an appropriate key size. Select a specific CSP if required. If you are not generating this on the computer that will use the certificate, tick the option "Make private key exportable".
- Review all the tabs and options for any further customisations that might be required (e.g. a friendly name)
- Click OK to close the Certificate Properties window.
- Click Next in the request wizard, select a path to export the CSR file and save it.
The CSR can now be submitted to a CA for certificate issuance.
Also note that properly-formatted SAN CSRs created by openssl and similar tools can be used to issue certs from a Windows CA.
