How to add Subject Alternative Names to a certificate

Note

A SAN cannot be added to a certificate after the certificate has been submitted, issued or enrolled.
You can only add it at the time you create the policy file1.

Prerequisites

You have already created a policy file.

Procedure

Add following elements to your policy:

  1. The Extension section (if it’s not already the case2).
    [Extension]
  2. The 2.5.29.17 OID (if it’s not already the case).
    2.5.29.17 = "{text}"
  3. The _continue_ OID followed by the DNS name.
    For example:

    _continue_ = "DNS=host.domain.com&"
  4. Repeat step 3 for every SAN you need to add.

Notes:
– Don’t try to change the “{text}” part.
Leave it as it is.
– Every FQDN must end with an ampersand & if there is another OID to follow.

_continue_ = "DNS=host.domain.com&"

Here is a full example of a typic policy file:

[Version]
 Signature="$Windows NT$"

[NewRequest]
 Subject = "CN=myserver.mycompany.com"
 KeyLength = 2048
 KeySpec = 1
 KeyUsage = 0xA0
 Exportable = TRUE
 ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
 RequestType = PKCS10
 FriendlyName = "My Website"

[EnhancedKeyUsageExtension]
 OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
 OID=1.3.6.1.5.5.7.3.2 ; Client Authentication

[Extensions]
 2.5.29.17 = "{text}"
 _continue_ = "dns=myserveralt1.mycompany.com&"
 _continue_ = "dns=myserveralt2.mycompany.com"

More about the policy file’s syntax.


Policy file
A policy file is a plain text file used to create an encoded request file, which will be submitted to the CA.

1. The creation of the of the policy file is completely transparent in the GUI process.
2. The Extension section can be used to add other elements then SANs.

2 thoughts on “How to add Subject Alternative Names to a certificate

  1. Wondering if you have tried this on Windows 10 at all? It chokes on the 2.5.29.17, the SAN OID. Guessing they changed something in Windows 10 that doesn’t allow certreq to use that. I’ve been trying to find a solution for it. Great write up, and hope you are doing well!

    Like

    1. I’ve just used the example from my article on a Win 10 1809 and it works fine.
      I copied the content to a file named Certificate.inf and launched
      “certreq -new .\certificate.inf .\certificate.req”

      Like

Leave a Reply to Luke Cancel reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s