How to make sure internal certificate authority is supporting SAN certificate feature?
Posted by Brajesh Panda on June 6, 2011
SAN Certificate for IIS 7.5 Web Servers – Part 3
- How to configure multiple websites to access using host headers?
- How to create a certificate signing request for our IIS web server?
- How to make sure internal certificate authority is supporting SAN certificate feature?
- How to generate SAN certificate from internal Windows 2003 certificate authority?
- How to configure/import SAN certificate in IIS 7.x?
How to make sure internal certificate authority is supporting SAN certificate feature?
Certificate servers come with Policy Modules
to provide different services. There are different types of extensions attached to the policy modules can be turned on so clients can submit their requests for those features.
CertificateAuthority_MicrosoftDefault.Policy is the default policy module in a Windows 2003 Certificate server.
Certutil –getreg commad shows different configuration parameters for default policy module
Certutil -getreg policy\EditFlags shows which extensions are turned for the default policy module.
SAN certificate extension can be turned on using below syntax
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
SAN certificate extension can be turned off using below syntax
(I didn’t try this one – Just researched from Google – May be sometime later I will try this.)
certutil -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2
Here are some registry screenshots before & after turned on. I am not sure if it can be turned on by just changing below registry key. May be sometime later I will try this
After Turned ON
In Windows 2008 CA use below command to enable SAN extensions!
certutil –setreg policy\SubjectAltName enabled
certutil –setreg policy\SubjectAltName2 enabled
net stop certsvc
net start certsvc
How to generate SAN certificate from internal Windows 2003 certificate authority? « TechOnTip Weblog said
[…] How to make sure internal certificate authority is supporting SAN certificate feature? […]
How to configure/import SAN certificate in IIS 7.x? « TechOnTip Weblog said
[…] How to make sure internal certificate authority is supporting SAN certificate feature? […]
Kojo1984 said
Is this for Windows 2003 or 2008? If you use a Microsoft Windows 2008 Standard Edition for Standalone Root CA, then you will need to do this command to
allow the CA to issue SAN certs. For Enterprise, I THINK, it is not needed.
BTW, command “certutil -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2” is OK for disabling SAN Extensions .
Brajesh Panda said
I tried in Windows 2003 Standalone CA – thanks for the confirmation on san extension disable!
Gefährdung der Active Directory Gesamtstruktur durch das Flag EDITF_ATTRIBUTESUBJECTALTNAME2 – Uwe Gradenegger said
[…] Netz kursieren leider viele Anleitungen, welche empfehlen, dass das Flag EDITF_ATTRIBUTESUBJECTALTNAME2 auf der […]
Den Subject Alternative Name (SAN) eines Zertifikats vor dessen Ausstellung verändern – aber sicher! – Uwe Gradenegger said
[…] Netz kursieren leider viel zu viele Anleitungen (auch die großen Player sind […]