I'm trying to issue a new certificate using the additional attribues field within the Windows CertSrv Web-Enrollment Client.
I added the CSR, picked the template and entered this into the attributes field:
SAN:dns=HOSTNAME&dns=HOSTNAME.DOMAIN.COM&ipaddress=IPADRESS
The request is successful but when I check the signed certificate no "Alternative Names" attribute is added to it. Am I missing something? Maybe a issue with the Template? (used a default Win 2003 level webserver template copy with some custom settings).
/edit Also I've tried to use
certreq -submit -attrib "CertificateTemplate:MYTEMPLATE" <Cert Request.req> -attrib "SAN:dns=HOSTNAME&dns=HOSTNAME2&ipaddress=IPADDRESS"
resulting in the same problem: cert gets generated, but without any SAN attribute.
/edit2 also I've set the CA to issue SAN certificates using
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
and restarting the CA service. Still: no SANs.
Please note: using req. files and OpenSSL to generate the CSR i'm able to generate certifcates using the CA which have some SANs included. However this option is not valid in my current situation since I'm getting the CSR from an application and i'm not able to manually generate one for the application.
/edit3 I tried using the default webserver certificate WITHOUT any changes and suddenly it worked. So now the question is: what are the template requirements to enable SAN?
I know this is old, but I've just figured it out myself and thought it might help someone else. I too have been unable to get CA to add the SAN via either the web page or the
certreq ... -attrib "SAN:DNS=<FQDN>[&DNS=<FQND2>...]..."
format. The SAN attribute was ignored, even though the certificate was issued.However, I found that it works with this format:
certreq -attrib "CertificateTemplate:WebServer\nSAN:DNS=<Name1>[&DNS=<name2>...][&IPAddress=<IP1>...]" <csr filename> <cer filename>
For example, if you have a certificate request file called HP_VC.csr and you want the subject alternative names to be vc1, vc2, vc1.domain.com, vc2.domain.com, 192.168.1.1, and 192.168.1.2 the command would be:
The certificate in HP_VC.cer will contain the SAN attribute.
I'm using this for HP Virtual Connect (VC) modules, Onboard Administrators (OA) and iLOs. It should work for any generic situation that needs a certificate with a SAN.
There's a good answer here, too, which solved the problem for me: http://terenceluk.blogspot.com/2017/09/adding-san-subject-alternative-name.html
It seems by default the certificate service does not actually accept SubjectAltName input from the web form, for possibly good security reasons. As someone comments on this page - it depends on how well you trust the access controls to your cert services web console.