PKI

Adding SAN (Subject Alternative Name) into Additional Attributes

by Nishiket

Posted on December 23, 2022Last updated on January 3, 2023

Read time: 7 minutes

All the domain names and IP addresses protected by the certificate are listed systematically using the SAN or Subject Alternative Name. The Subject Alternate Names must be provided on an SSL/TLS certificate when further website actions need to be secured so that the DNS server can map the IP address to the domain name.

The SANs information can be found in the SSL/TLS certificate data by clicking on the padlock icon in most web browsers’ address bars.

In this blog, we will talk about how to add Subject Alternate Name attributes to a certificate, i.e., Web Server Certificate Enrollment with SAN Extension. Also, we will cover an error, i.e., Adding SAN (Subject Alternative Name) into the Additional attributes field on the Microsoft CA Certificate request form doesn’t produce does not automatically produce a certificate with a “Subject Alternative Name” entry.

Web Server Certificate Enrollment with SAN Extension

Enrolling a certificate with a custom SAN extension is now super simple. There is a certain set of instructions to follow, and you’ll get it.

Setting Certificate Template

Most certificate templates are set up to build a subject from Active Directory. But in the case of SSL Certificates, they use Supply in the request because they use a custom subject name. If you are using the default web server template, then there is no need to modify anything. For the custom certificate template, you should update it as given below.

Enrolling a certificate with a custom SAN extension

Also, you need to give Read and Enroll permissions from the security tab to your account.

Setting Certification Authority

Go to the certsrv console and expand Issuing CA.
Go to Certificate Template and open it.
Check whether the template is listed in the window; if not, right-click on the certificate template and then New -> Certificate Template to issue.
Select the required template and click on add.

Certificate Enrollment Process

Open mmc console. In the Console1 window, go to File-> Add/Remove Snap-in.
In the Add/Remove Snap-in dialog box, click on certificates and add.
In certificates, snap in box, click computer account, and next.
In the select computer window, click Local Computer and Finish.
Click Ok and close the snap-in.
Right-click on the personal node. Click on All tasks-> Request new certificate.
In the Before you begin page, click Next.
In the select enrollment policy page, select the appropriate policy and go next.
In the Request Certificate box, click on the required template, expand its details, and open its properties to configure it.
Certificate Properties Dialog box will appear like this.
Since you are using Subject Alternate Name (SAN), you can leave the Subject name empty. In the dropdown, select the proper type for SAN. (In the case of SSL certificates, DNS is common).
In the value box, enter the names in the corresponding format and click add. Repeat this step for all the values you want to add.
Hit Ok and close. You’ll return to the certificate enrollment page. Click on enroll.
Click finish when the certificate is successfully installed.
Here, you can view the Certificate’s SAN details.

Troubleshooting

Issue

The certificate generated doesn’t include SAN (Subject Alternative Name) entry even after adding SAN in the additional attributes field.

Cause

If Microsoft CA’s issuance policy is not set up to accept the Subject Alternative Name(s) attribute via the CA Web enrollment page, executing the preceding steps could not result in a certificate that includes a SAN entry.

Solution

To solve this, we need to run this command through the administrative command prompt:

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

After running this command, make sure to restart the ADCS Services by running

net stop certsvc and net start certsvc

Now, you can create the certificate with the SAN entry by using the CA’s web enrollment page.

If you need help with your PKI environment, feel free to email us at info@encryptionconsulting.com

Conclusion

All the domain names and IP addresses protected by the certificate are organized into a SAN or subject alternative name. You can easily add SAN entries to the certificates by following the certain instructions depicted in this blog. There is an issue when the certificate generated comes out without a SAN entry, even after adding a SAN entry. This can be solved by running a single command which adds the entry, and now you can create the certificate.

Implementing & migrating PKI solutions for enterprises

About the Author

Nishiket

Nishiket Kumar is a Consultant at Encryption Consulting, working with PKIs, HSMs and working as a consultant with high-profile clients.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Adding SAN (Subject Alternative Name) into Additional Attributes