Requesting an SSL Certificate for Multiple Domains

Overview

To request an SSL certificate that supports multiple domains, you need to generate a CSR (Certificate Signing Request) for SANs (Subject Alternative Names). This article documents how to do this.

Note that the procedure below does not work for Windows Server 2003 or Windows XP. For those operating systems, you must add a SAN extension in base64-encoded ASN.1 format to the Extensions section of INF file. Refer to this reference and this reference for details.

Reference

This article was adapted from the following sources.


Procedure

(1) Create a text file for the Request Policy, using the following template, and saving it as MainDomainDotCom.inf

[Version] 

Signature="$Windows NT$"

[NewRequest]
Subject = "CN=maindomain.com,OU=My Organizational Unit,O=My Organization Inc.,STREET=100 Main Street,L=City,S=State,PostalCode=12345-6789,C=US" 
; Remove to use an empty Subject name. 

;Because SSL/TLS does not require a Subject name when a SAN extension is included, the certificate Subject name can be empty.
;If you are using another protocol, verify the certificate requirements. 

EncipherOnly = FALSE ; Only for Windows Server 2003 and Windows XP. Remove for all other client operating system versions.
Exportable = FALSE   ; TRUE = Private key is exportable
KeyLength = 2048     ; Valid key sizes: 1024, 2048, 4096, 8192, 16384
KeySpec = 1          ; Key Exchange – Required for encryption
KeyUsage = 0xA0      ; Digital Signature, Key Encipherment
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
FriendlyName = "ThisIsMyFriendlyName"


RequestType = PKCS10 ; or CMC.


[EnhancedKeyUsageExtension]
; If you are using an enterprise CA the EnhancedKeyUsageExtension section can be omitted 

OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
OID=1.3.6.1.5.5.7.3.2 ; Client Authentication

[Extensions]
; If your client operating system is Windows Server 2008, Windows Server 2008 R2, Windows Vista, or Windows 7
; SANs can be included in the Extensions section by using the following text format. Note 2.5.29.17 is the OID for a SAN extension.

2.5.29.17 = "{text}"
_continue_ = "dns=www.maindomain.com&"
_continue_ = "dns=www.domain2.com&"
_continue_ = "dns=maindomain.com&"
_continue_ = "dns=domain2.com&"

(2) If you're replacing/updating an existing certificate, get the following information from it. In any case, make the following replacements in the template.


(3) In the Extensions section, include a _continue_ line for each domain name you'd like on the certificate. Be sure to include each domain with the "www" prefix and without, as appropriate.

(4) On the server where the certificate is to be installed, with the MainDomainDotCom.inf in the current folder, execute the following command. This will create the MainDomainDotCom.csr file in the local folder.

certreq -new MainDomainDotCom.inf MainDomainDotCom.csr

(5)To validate the CSR, issue the following command.

certutil -dump MainDomainDotCom.csr

Completing the Certificate Request

To complete the certificate request, follow the directions in this article