Creating an SSL Certificate with Subject Alternative Name (SAN) Fields for IIS

For a while now we have been able to use the Common Name (CN) field in an SSL certificate to give browsers the identity of the host name for which this certificate was requested. However, this practice has actually been deprecated in favor of using the Subject Alternative Name or (SAN) fields.

This was unfortunately brought to light for me when I upgraded to Chrome version 58. This version finally eliminates the usage of the CN field altogether. My lab server was using using an SSL cert that was requested through my domain CA using IIS manager. IIS manager allows you to create requests directly from the “Server Certificates” section. However, this wizard does not include any SAN fields in its request.

To work around this, I used the following procedure to create a new domain certificate with the proper SAN fields:

Creating the Custom SAN Certificate Request

1. Open MMC and then add in the Certificates snap-in (File -> Add/Remove Snap-in).
2. Choose to manage certificates for the Computer Account -> Local Computer.

3. In the Console Root tree, right-click the Certificates -> Personal -> Certificates folder.
4. Select All Tasks -> Advanced Operations -> Create Custom Request. Click Next to get started.

5. Then on the Select Certificate Enrollment Policy page, select Active Directory Enrollment Policy. Click Next.

6. On the Custom Request page, select the Web Server template and PKCS#10 for the format. Click Next.

7. Click the arrow to the right of Details. Then click the Properties button.

8. On the Subject page -> Subject Name field, select Common Name and then add your server name in the Value field. Then under the Alternative Name field, choose DNS then add each server you want to cover as values one at a time. Click OK then Next.

9. Choose the file location and click Finish.
10.  You can view the SAN property of the new certificate by double-clicking the cert and selecting the Details tab -> Subject Alternative Name.

Requesting the Certificate

1. From the start menu, type certreq. You will be prompted for the location of the request file. use the location of the cert request file we created earlier.

2. Select your Certification Authority and click OK. This will then send the request to the CA.

3. Select the location of your certificate file. This can be saved on your desktop since it is not used until it is imported.

Importing the Certificate

1. Once the customized SAN-enabled certificate file is created, it needs to be imported into the computer’s certificate store. Back in MMC, Right Click the “Personal -> Certificates” folder and select “All Tasks -> Import”. Choose the certificate file we created in earlier steps.

From this point, you can then select the certificate in IIS manager.

If there are any other steps that are missed or any shortcuts not mentioned, please add them in the comments below. Hope this helps save someone some time!


  1. Great tutorial, Erik! Thank you so much. I was looking for this kind of information but most other sites only talk about requests to external CAs.

    The only thing I would like to note is that I had to run certreq as administrator, otherwise I got an error that I am not allowed to create this type of certificate and I could not continue.

    Additionally, in step no. 8 one can add some additional certificate information like Organization, Country etc.
    And on the “Private Key” in tab one can also add the option to be able to export the private key. I used that to be able to export as .pfx and then import the cert and the key as .pem files to a Linux server via openssl like described here:

    Thank you once again! Microsoft and Google made our life so complicated again…



  2. Thanks for this straight forward tutorial! It helped me heaps today!


  3. This helped me out huge today. Thanks!


  4. hi there
    this was really helpful


  5. Thank you so much for this! I followed numerous other guides but kept getting stuck, this was what I needed.


  6. Good info, but wanted to note that the LetsEncrypt website certificate expired earlier this month.


Leave a Reply

Your email address will not be published. Required fields are marked *