How to make sure internal certificate authority is supporting SAN certificate feature?

SAN Certificate for IIS 7.5 Web Servers – Part 3

• How to configure multiple websites to access using host headers?
  
• How to create a certificate signing request for our IIS web server?
  
• How to make sure internal certificate authority is supporting SAN certificate feature?
  
• How to generate SAN certificate from internal Windows 2003 certificate authority?
  
• How to configure/import SAN certificate in IIS 7.x?
  

How to make sure internal certificate authority is supporting SAN certificate feature?

Certificate servers come with Policy Modules
to provide different services. There are different types of extensions attached to the policy modules can be turned on so clients can submit their requests for those features.

CertificateAuthority_MicrosoftDefault.Policy is the default policy module in a Windows 2003 Certificate server.

Certutil –getreg commad shows different configuration parameters for default policy module

Certutil -getreg policy\EditFlags shows which extensions are turned for the default policy module.

SAN certificate extension can be turned on using below syntax

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

SAN certificate extension can be turned off using below syntax

(I didn’t try this one – Just researched from Google – May be sometime later I will try this.)

certutil -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2

Here are some registry screenshots before & after turned on. I am not sure if it can be turned on by just changing below registry key. May be sometime later I will try this

After Turned ON

In Windows 2008 CA use below command to enable SAN extensions!

certutil –setreg policy\SubjectAltName enabled
certutil –setreg policy\SubjectAltName2 enabled
net stop certsvc
net start certsvc

47.606209 -122.332071