Creating an SSL Certificate with Subject Alternative Name (SAN) Fields for IIS

For a while now we have been able to use the Common Name (CN) field in an SSL certificate to give browsers the identity of the host name for which this certificate was requested. However, this practice has actually been deprecated in favor of using the Subject Alternative Name or (SAN) fields.

This was unfortunately brought to light for me when I upgraded to Chrome version 58. This version finally eliminates the usage of the CN field altogether. My lab server was using using an SSL cert that was requested through my domain CA using IIS manager. IIS manager allows you to create requests directly from the “Server Certificates” section. However, this wizard does not include any SAN fields in its request.

To work around this, I used the following procedure to create a new domain certificate with the proper SAN fields:

Creating the Custom SAN Certificate Request

1. Open MMC and then add in the Certificates snap-in (File -> Add/Remove Snap-in).
2. Choose to manage certificates for the Computer Account -> Local Computer.

3. In the Console Root tree, right-click the Certificates -> Personal -> Certificates folder.
4. Select All Tasks -> Advanced Operations -> Create Custom Request. Click Next to get started.

5. Then on the Select Certificate Enrollment Policy page, select Active Directory Enrollment Policy. Click Next.

6. On the Custom Request page, select the Web Server template and PKCS#10 for the format. Click Next.

7. Click the arrow to the right of Details. Then click the Properties button.

8. On the Subject page -> Subject Name field, select Common Name and then add your server name in the Value field. Then under the Alternative Name field, choose DNS then add each server you want to cover as values one at a time. Click OK then Next.

9. Choose the file location and click Finish.
10.  You can view the SAN property of the new certificate by double-clicking the cert and selecting the Details tab -> Subject Alternative Name.

Requesting the Certificate

1. From the start menu, type certreq. You will be prompted for the location of the request file. use the location of the cert request file we created earlier.

2. Select your Certification Authority and click OK. This will then send the request to the CA.

3. Select the location of your certificate file. This can be saved on your desktop since it is not used until it is imported.

Importing the Certificate

1. Once the customized SAN-enabled certificate file is created, it needs to be imported into the computer’s certificate store. Back in MMC, Right Click the “Personal -> Certificates” folder and select “All Tasks -> Import”. Choose the certificate file we created in earlier steps.

From this point, you can then select the certificate in IIS manager.

If there are any other steps that are missed or any shortcuts not mentioned, please add them in the comments below. Hope this helps save someone some time!

Leave a Reply

Your email address will not be published. Required fields are marked *