Jasinski Technical Wiki

Navigation

Home Page
Index
All Pages

Quick Search
»
Advanced Search »

Contributor Links

Create a new Page
Administration
File Management
Login/Logout
Your Profile

Other Wiki Sections

Software

PoweredBy

Requesting an SSL Certificate for Multiple Domains

RSS
Modified on Mon, Oct 26, 2015, 2:57 PM by Administrator Categorized as Windows (OS, IE, IIS, and MSMQ)

Overview

To request an SSL certificate that supports multiple domains, you need to generate a CSR (Certificate Signing Request) for SANs (Subject Alternative Names). This article documents how to do this.

Note that the procedure below does not work for Windows Server 2003 or Windows XP. For those operating systems, you must add a SAN extension in base64-encoded ASN.1 format to the Extensions section of INF file. Refer to this reference and this reference for details.

Reference

This article was adapted from the following sources.


Procedure

(1) Create a text file for the Request Policy, using the following template, and saving it as MainDomainDotCom.inf

[Version] 

Signature="$Windows NT$"

[NewRequest]
Subject = "CN=maindomain.com,OU=My Organizational Unit,O=My Organization Inc.,STREET=100 Main Street,L=City,S=State,PostalCode=12345-6789,C=US" 
; Remove to use an empty Subject name. 

;Because SSL/TLS does not require a Subject name when a SAN extension is included, the certificate Subject name can be empty.
;If you are using another protocol, verify the certificate requirements. 

EncipherOnly = FALSE ; Only for Windows Server 2003 and Windows XP. Remove for all other client operating system versions.
Exportable = FALSE   ; TRUE = Private key is exportable
KeyLength = 2048     ; Valid key sizes: 1024, 2048, 4096, 8192, 16384
KeySpec = 1          ; Key Exchange – Required for encryption
KeyUsage = 0xA0      ; Digital Signature, Key Encipherment
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
FriendlyName = "ThisIsMyFriendlyName"


RequestType = PKCS10 ; or CMC.


[EnhancedKeyUsageExtension]
; If you are using an enterprise CA the EnhancedKeyUsageExtension section can be omitted 

OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
OID=1.3.6.1.5.5.7.3.2 ; Client Authentication

[Extensions]
; If your client operating system is Windows Server 2008, Windows Server 2008 R2, Windows Vista, or Windows 7
; SANs can be included in the Extensions section by using the following text format. Note 2.5.29.17 is the OID for a SAN extension.

2.5.29.17 = "{text}"
_continue_ = "dns=www.maindomain.com&"
_continue_ = "dns=www.domain2.com&"
_continue_ = "dns=maindomain.com&"
_continue_ = "dns=domain2.com&"

(2) If you're replacing/updating an existing certificate, get the following information from it. In any case, make the following replacements in the template.

  • Replace maindomain.com with the main domain for the certificate.
  • Replace My Organizational Unit with the actual Organizational Unit
  • Replace My Organization Inc. with the name of the Company
  • Replace 100 Main Street with the Company's street address
  • Replace City with the City for the Company's street address
  • Replace State with the name of the State (fully spelled out — no abbreviations) for the Company
  • Replace 12345-6789 with the actual ZIP code for the Company

(3) In the Extensions section, include a _continue_ line for each domain name you'd like on the certificate. Be sure to include each domain with the "www" prefix and without, as appropriate.

(4) On the server where the certificate is to be installed, with the MainDomainDotCom.inf in the current folder, execute the following command. This will create the MainDomainDotCom.csr file in the local folder.

certreq -new MainDomainDotCom.inf MainDomainDotCom.csr

(5)To validate the CSR, issue the following command.

certutil -dump MainDomainDotCom.csr

Completing the Certificate Request

To complete the certificate request, follow the directions in this article

ScrewTurn Wiki version 3.0.1.400. Some of the icons created by FamFamFam. Except where noted, all contents Copyright © 1999-2018, Patrick Jasinski.