We are running an enterprise CA on Windows 2008R2. I just did an update to windows 7 on my workstation. Now every time I connect to a remote server using rdp I get a warning stating that the servername is wrong. This is because I use just the hostname for connecting and the cert is created using the fqdn.
The certificates on the servers have been created using autoenrollment with a template based on the computer template.
Is there a way to automatically include the hostname as a subject alternate name (san) and still use autoenrollment? I would like the autoenrolled certificates to have server
and server.domain.local
as a valid name.
You would need to create a new Computer certificate template with the option Subject Name: Supply in the request selected. You will need to provide both the subject name and alternate subject name within the request.
Unfortunately, there is no way to autoenroll with this option, as Windows Certificate Services only allows the use of DNS name or SPN for the alternate.
As an aside, doing something like this would not be considered a security best practice, as an attacker can perform man-in-the-middle attacks with a forged certificate.