How to add Subject Alternative Names to a certificate

Note

A SAN cannot be added to a certificate after the certificate has been submitted, issued or enrolled.
You can only add it at the time you create the policy file1.

Prerequisites

You have already created a policy file.

Procedure

Add following elements to your policy:

  1. The Extension section (if it’s not already the case2).
    [Extension]
  2. The 2.5.29.17 OID (if it’s not already the case).
    2.5.29.17 = "{text}"
  3. The _continue_ OID followed by the DNS name.
    For example:

    _continue_ = "DNS=host.domain.com&"
  4. Repeat step 3 for every SAN you need to add.

Notes:
– Don’t try to change the “{text}” part.
Leave it as it is.
– Every FQDN must end with an ampersand & if there is another OID to follow.

_continue_ = "DNS=host.domain.com&"

Here is a full example of a typic policy file:

[Version]
 Signature="$Windows NT$"

[NewRequest]
 Subject = "CN=myserver.mycompany.com"
 KeyLength = 2048
 KeySpec = 1
 KeyUsage = 0xA0
 Exportable = TRUE
 ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
 RequestType = PKCS10
 FriendlyName = "My Website"

[EnhancedKeyUsageExtension]
 OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
 OID=1.3.6.1.5.5.7.3.2 ; Client Authentication

[Extensions]
 2.5.29.17 = "{text}"
 _continue_ = "dns=myserveralt1.mycompany.com&"
 _continue_ = "dns=myserveralt2.mycompany.com"

More about the policy file’s syntax.


Policy file
A policy file is a plain text file used to create an encoded request file, which will be submitted to the CA.

1. The creation of the of the policy file is completely transparent in the GUI process.
2. The Extension section can be used to add other elements then SANs.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s