TechOnTip Weblog

Run book for Technocrats

How to make sure internal certificate authority is supporting SAN certificate feature?

Posted by Brajesh Panda on June 6, 2011

SAN Certificate for IIS 7.5 Web Servers – Part 3

How to make sure internal certificate authority is supporting SAN certificate feature?

Certificate servers come with Policy Modules
to provide different services. There are different types of extensions attached to the policy modules can be turned on so clients can submit their requests for those features.

CertificateAuthority_MicrosoftDefault.Policy is the default policy module in a Windows 2003 Certificate server.

Certutil –getreg commad shows different configuration parameters for default policy module

Certutil -getreg policy\EditFlags shows which extensions are turned for the default policy module.

SAN certificate extension can be turned on using below syntax

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

SAN certificate extension can be turned off using below syntax

(I didn’t try this one – Just researched from Google – May be sometime later I will try this.)

certutil -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2

Here are some registry screenshots before & after turned on. I am not sure if it can be turned on by just changing below registry key. May be sometime later I will try this

After Turned ON

In Windows 2008 CA use below command to enable SAN extensions!

certutil –setreg policy\SubjectAltName enabled
certutil –setreg policy\SubjectAltName2 enabled
net stop certsvc
net start certsvc

Advertisements

4 Responses to “How to make sure internal certificate authority is supporting SAN certificate feature?”

  1. […] How to make sure internal certificate authority is supporting SAN certificate feature? […]

  2. […] How to make sure internal certificate authority is supporting SAN certificate feature? […]

  3. Kojo1984 said

    Is this for Windows 2003 or 2008? If you use a Microsoft Windows 2008 Standard Edition for Standalone Root CA, then you will need to do this command to
    allow the CA to issue SAN certs. For Enterprise, I THINK, it is not needed.

    BTW, command “certutil -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2” is OK for disabling SAN Extensions .

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: