Hi,
On 2008 R2 SubCA I used .inf file to create certificates with SAN. I used the following extension:
[Extensions]
2.5.29.17 = "{text}"
_continue_ = "dns=name.domain.com$dns=othername"
This does not seem to work on a 2012 SubCA. Is there any changes in how to get SAN in the certificate?
Regards,
Espen
CA request - Windows Server 2012 - Subject Alternate Name
July 25th, 2013 10:28am
See this.
In addition, see http://support.microsoft.com/kb/931351
Free Windows Admin Tool Kit Click here and download it now
July 26th, 2013 10:21am
Hi,
As this thread has been quiet for a while, we will mark it as Answered as the information provided should be helpful. If you need further help, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.
BTW, wed love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts.
Best Regards
Kevin
As this thread has been quiet for a while, we will mark it as Answered as the information provided should be helpful. If you need further help, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.
BTW, wed love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts.
Best Regards
Kevin
July 30th, 2013 3:59am
Hi,
The links refer to 2008 R2, I need the same for 2012. MS changed how san worked from 2003 to 2008, and seem to have done it again for 2012. I can't find any information around this.
Anyone know how to add SAN on a 2012 CA request?
regards,
Espen
Free Windows Admin Tool Kit Click here and download it now
August 12th, 2013 9:47am
This command needs to be run on the server where the CA is installed (run command prompt with elevated priviledges) and everything should work as expected. This is true for 2012R2 also.
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
April 13th, 2015 2:14pm
The command certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2 is **NOT** recommended as it allows the addition of SANs post request. The preferred method is to either use the certificates MMC and create a request with the subject and all required SANs defined in the request or to use certreq and an INF file with all SANs defined in the INF file
There is too much risk to allow someone to add a name post request (for example, adding the Enterprise Admin account's UPN to a certificate). There is no checking on the request to prevent unauthorized naming.
Brian
Free Windows Admin Tool Kit Click here and download it now
April 13th, 2015 7:12pm
This topic is archived. No further replies will be accepted.
Other recent topics
