Note

A SAN cannot be added to a certificate after the certificate has been submitted, issued or enrolled.
You can only add it at the time you create the policy file¹.

Prerequisites

You have already created a policy file.

Procedure

Add following elements to your policy:

1. The Extension section (if it’s not already the case²).

   [Extension]

2. The 2.5.29.17 OID (if it’s not already the case).

   2.5.29.17 = "{text}"

3. The _continue_ OID followed by the DNS name.
   For example:

   _continue_ = "DNS=host.domain.com&"

4. Repeat step 3 for every SAN you need to add.

Notes:
– Don’t try to change the “{text}” part.
Leave it as it is.
– Every FQDN must end with an ampersand & if there is another OID to follow.

_continue_ = "DNS=host.domain.com&"

Here is a full example of a typic policy file:

[Version]
 Signature="$Windows NT$"

[NewRequest]
 Subject = "CN=myserver.mycompany.com"
 KeyLength = 2048
 KeySpec = 1
 KeyUsage = 0xA0
 Exportable = TRUE
 ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
 RequestType = PKCS10
 FriendlyName = "My Website"

[EnhancedKeyUsageExtension]
 OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
 OID=1.3.6.1.5.5.7.3.2 ; Client Authentication

[Extensions]
 2.5.29.17 = "{text}"
 _continue_ = "dns=myserveralt1.mycompany.com&"
 _continue_ = "dns=myserveralt2.mycompany.com"

More about the policy file’s syntax.

Policy file

A policy file is a plain text file used to create an encoded request file, which will be submitted to the CA.

<sup>1. The creation of the of the policy file is completely transparent in the GUI process.↩
2. The Extension section can be used to add other elements then SANs.↩</sup>