I'm racking my brains trying to get Subject Alternative Name working on my internal CA. I'm fairly new to PKI, so forgive me if I'm asking a question I should have easily found by searching, but everything I have found so far still does not seem to work. I have 2 tier CA, the root CA is offline. both machines are Windows 2008 r2, and the online CA is running enterprise. I have ran the following command on my issuing CA certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2 And if I verify the settings using -getreg I can see that the attribute is listed. If I try and create a certificate using the computer template. I modify the properties to include the subject alternative name using DNS as the type, however once the certificate is enrolled and I go and check it and the SAN is the computers DNS name. Do I need to enable subjectaltname2 on the offline root CA? is there something else I need to do ? (already started and stoped the certsrv services btw) thanks shane Brisbane Powershell Usergroup http://powershelldownunder.com

Hi, Thank you for your question. I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience. Thank you for your understanding and support. Regards, Arthur Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com . Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

this is because Computer template builds subject information from AD and just ignore manually supplied names. Instead you should consider to use WebServer certificate template. Here is an example: http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=20 BTW, you should disable this flag by running: certutil -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2 net stop certsvc net start certsvc this flag is only required when SAN extension is passed as an attribute (not a part of the signed certificate request).My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com

thanks for that explanation Vadims makes more sense now cheers shane Brisbane Powershell Usergroup http://powershelldownunder.com