« Convert VMware virtual machines to Hyper-V virtual machines

Configure Internal Windows CA to issue SAN certificates

A lot of companies these days are using SAN (Subject Alternative Name) certificates because they can protect multiple domain names using a single certificate. For example you can protect both www.mydomain.com and www.mydomain.org. If you are in a small environment and can’t afford a SAN certificate, you can use your internal Windows CA to issue this kind of certificates.

For this lab I’m going to use an Enterprise Windows CA running on Windows Server 2008 R2 SP1. If you don’t have a 2008 R2 box, you can use a Windows 2003 server edition. To be able to issue SAN certificates using our internal Windows CA we need to configure it first, so connect to the CA server and open a terminal. Here type the following command:

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

Don’t close the terminal yet, because we need to restart the Active Directory Certificates Services service. Type the following command to restart the service:

net stop certsvc & net start certsvc

Our internal CA is now ready to issue certificates that contains the SAN extension. Let’s request some.

For this exercise you need to configure your Internal CA web page to use an encrypted connection. Issue a WEB certificate from the internal CA, or create a self sign certificate, then bind the certificate to the web site.

Open a browser on one of your clients, or even the localhost and type the CA server web address into your browser (eg: https://MyInternalCA/certsrv). On the Welcome page click Request a certificate.

Click advanced certificate request.

Click Request and submit a request to this CA.

On the warning message click the OK button.

On the Certificate Template box select Web Server.

Now I want to show you something fancy. Usually in the Name box you would type the common name of the certificate, but this time we are not going to. Just type something like SSL Certificate or My SSL Certificate.

Complete the rest of the boxes until you reach the Attributes box. Here we provide the domain names that this certificate should protect. The syntax is like this:

san:dns=mydomain.com&dns=mydomain.org&dns=mydomain.net

If you want to, give the certificate a friendly name than click the Submit button. When the warning pops-up click Yes.

To install the certificate click the link Install this certificate. Now if we open the user certificates store we can see our certificate installed, and with a SAN extension that contains the protected domain names. Just look at the Issued to section. I told you it will be fancy .

Remember, this “fancy” certificate is just for fun, you can use it with your internal CA, but not with a commercial CA, because it will cost you more since you pay for the domains in the SAN extension. Another problem with this “fancy” certificate is that some software will give you a certificate error message, not being able to recognize the SAN extension in the certificate (been there). If you have this problem just type the FQDN (common name) in the Name box on the CA web page when you request the certificate.

OK, we created a certificate by completing the information in the CA web page, but what about those of you that have the request in a file ! Don’t worry, this is next. For this part of the guide I created a certificate request using OpenSSL. You can download OpenSSL from this address. To configure it for SAN extension we need to edit the openssl.cfg file from the bin directory.

Here uncomment req_extensions = v3_req line, then paste this:

[ v3_req ]
 # Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names 

[alt_names]

DNS.1 = myfirstdomain.com
DNS.2 = www.myseconddomain.net.net
DNS.3 = myseconddomain.org

Off course replace the domain names with your own. Now open a terminal and go to the OpenSSL bin directory path. Here type the following:

openssl genrsa 2048 > rui.key

openssl req -new -key rui.key > rui.csr

Now in the bin folder there is a new file called rui.csr. Open the file using notepad or any other text editor, copy the content and go the CA web page. Click Request a certificate > advanced certificate request > Submit a certificate request by using a base-64-encoded…’ and paste the content from the rui.csr file in the Saved Request box. Under Certificate Template select Web Server and click the Submit button.

Click Download Certificate and save it somewhere on your hard drive, then open it. It should have a common name and a SAN extension. If you want the common name to be something “fancy” like before, on the OpenSSL line Common Name (eg, YOUR name) []: type your desired name.

Active Directory

This entry was posted by Adrian Costea on 01/24/2012 at 20:00, and is filed under Active Directory, Microsoft. Follow any responses to this post through RSS 2.0.You can leave a response or trackback from your own site.

Comments (0)
Related Posts

Type your comment
You may use these HTML tags: <a> <abbr> <acronym> <b> <blockquote> <cite> <code> <del> <em> <i> <q> <strike> <strong>
Comment Feed for this Post