Today I wanted to issue a certificate with Subject Alternatives Names (SAN) through web enrollment.
At first glance, the certificate was generated successfully. However, when I had a look at the certificate’s properties, there was no SANs among other extensions.
I tried several times, by changing some parameters like the request format (CMC and PKCS10) but SANs were still missing.
Why it doesn’t work?
Finally after some researches, I found that the Certificate Authority was working fine, as expected and in a secure manner, which means that directly through web enrollment (without a request file …….), nor through the certificate enrollment wizard we should not be able to issue certificates with SANs.
It is still possible to do it though web enrollment without request file or through the certificate enrollment wizard, but you have first to enable EDITF_ATTRIBUTESUBJECTALTNAME2.
However, on a page named How to Request a Certificate With a Custom Subject Alternative Name, Microsoft explains what are the security best practices for allowing SANs in certificates and why you should not enable EDITF_ATTRIBUTESUBJECTALTNAME2:
- In general, the use of user-defined SANs can increase the risk of impersonation attacks because it allows a user to specify arbitrary names in a certificate request.
- Certificate requests that contain SANs should be held in a pending state until they can be reviewed by a certificate manager.
How to do it the secure way?
The official method to do it the secure way is via the command line.
- Enable the approval for every template delivering certificates to computers
- Use the procedure to add SANs to the request policy file.
How to do it the non-secure way?
If, after you read Microsoft’s warning, you made the choice to enable EDITF_ATTRIBUTESUBJECTALTNAME2, here is how to do it:
- Open a command CMD prompt
- Type the following commands
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2 net stop certsvc net start certsvc
- Restart the certificate’s authority service
Now you can issue certificates with SANs directly through web enrollment or through the certificate enrollment wizard.
But remember that you just opened the door to spoofing attacks inside your own company…