AD Certificate Services does support the generation of certificates that have subject alternate names (SAN) defined for them. However, this feature is not enabled by default and must be explicitly enabled.
In order to enable the feature, execute the following at a command prompt on each certification authority server:
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2 net stop certsvc net start certsvc
In order to request a SAN during certificate creation, use the web-based certificate request tool. In the Attributes text box, use the following syntax:
san:dns=dnsname[&dns=dnsname]…
The brackets denote optional components. You can have as many &dns= sections as you need (although I’m sure that there is an upper limit). You do not need to include the original subject in the SAN string (since that is already accepted).
For example:
san:dns=shortname&dns=shortname.domainname&dns=altname2&dns=altname2.domainname
Post a Comment
You must be logged in to post a comment.