FAQ: How do I configure a certificate to use multiple subject names?

Update: I've attached a sample .INF file to this posting. 

It's a pretty commonly asked question. People want to use different subject names on the Internet and intranet for their MPs. This isn't hard to do, and it requires something called a Subject Alternative Name, often abbreviated as SAN. The SAN can contain multiple alternate names. The SAN will take precedent over the common name (CN), or the regular subject name for a certificate. This is important because it means that if you have "hostnameA" in the CN, and "hostnameB" in the SAN, "hostnameA" will cause a CN mismatch. You will have to have a SAN for "hostnameA" and "hostnameB" for both to work.

To request certificates with SANs, you have to first configure your CA to support them. On Microsoft CAs, SAN support is not enabled for general requests by default. To enable this, run the following command on your CA server: certutil.exe -setreg policy\editflags +EDITF_ATTRIBUTESUBJECTALTNAME2

You MUST restart Certificate Services after doing this.

Now that the CA is configured to support SANs, you need to specially craft your request to use them. If going through web enrollment, you can add a custom attribute in the last section. To specify a SAN of "hostnameA" and "hostnameB", you would use the following syntax: SAN:dns=hostnameA&dns=hostnameB

Each SAN argument is ampersand separated. This should issue a certificate that will have a "Subject Alternative Name" section under Details. You can verify this by using the browser test by going to each https URL and ensuring that you don't get any certificate errors.

If you're using an .INF file to request certificates from a CA, the syntax is slightly different. You'll need to add a [RequestAttributes] section, and then use the syntax of: SAN="dns=hostnameA&hostnameB"

Hopefully this will be enough to help provide some basic knowledge on how to configure SAN support on the CA and in certificates.


Comments (0)

Skip to main content