PKI

Adding SAN (Subject Alternative Name) into Additional Attributes

add SAN attributes to a certificate

Read time: 7 minutes

All the domain names and IP addresses protected by the certificate are listed systematically using the SAN or Subject Alternative Name. The Subject Alternate Names must be provided on an SSL/TLS certificate when further website actions need to be secured so that the DNS server can map the IP address to the domain name.

The SANs information can be found in the SSL/TLS certificate data by clicking on the padlock icon in most web browsers’ address bars.

In this blog, we will talk about how to add Subject Alternate Name attributes to a certificate, i.e., Web Server Certificate Enrollment with SAN Extension. Also, we will cover an error, i.e., Adding SAN (Subject Alternative Name) into the Additional attributes field on the Microsoft CA Certificate request form doesn’t produce does not automatically produce a certificate with a “Subject Alternative Name” entry.

Web Server Certificate Enrollment with SAN Extension

Enrolling a certificate with a custom SAN extension is now super simple. There is a certain set of instructions to follow, and you’ll get it.

Setting Certificate Template

Most certificate templates are set up to build a subject from Active Directory. But in the case of SSL Certificates, they use Supply in the request because they use a custom subject name. If you are using the default web server template, then there is no need to modify anything. For the custom certificate template, you should update it as given below.

Enrolling a certificate with a custom SAN extension

Also, you need to give Read and Enroll permissions from the security tab to your account.

Setting Certification Authority

Setting Certification Authority

  • Go to the certsrv console and expand Issuing CA.
  • Go to Certificate Template and open it.
  • Check whether the template is listed in the window; if not, right-click on the certificate template and then New -> Certificate Template to issue.
  • Select the required template and click on add.
certsrv console and expand Issuing CA

Certificate Enrollment Process

  • Open mmc console. In the Console1 window, go to File-> Add/Remove Snap-in.

    mmc console
  • In the Add/Remove Snap-in dialog box, click on certificates and add.

    Add/Remove Snap-in dialog box
  • In certificates, snap in box, click computer account, and next.

  • In the select computer window, click Local Computer and Finish.

    certificates-snap-in-box
  • Click Ok and close the snap-in.

  • Right-click on the personal node. Click on All tasks-> Request new certificate.

    Subject Alternative Name Certificates
  • In the Before you begin page, click Next.

  • In the select enrollment policy page, select the appropriate policy and go next.

    Subject Alternative Name - Certificate Enrollment Policy
  • In the Request Certificate box, click on the required template, expand its details, and open its properties to configure it.

    Subject Alternative Name - Request Certificate box
  • Certificate Properties Dialog box will appear like this.

    Subject Alternate Name  - •	Certificate Properties Dialog box
  • Since you are using Subject Alternate Name (SAN), you can leave the Subject name empty. In the dropdown, select the proper type for SAN. (In the case of SSL certificates, DNS is common).

  • In the value box, enter the names in the corresponding format and click add. Repeat this step for all the values you want to add.

    certificate enrollment page
  • Hit Ok and close. You’ll return to the certificate enrollment page. Click on enroll.

    certificate enrollment page - request certificates
  • Click finish when the certificate is successfully installed.

    Subject Alternative Name - certificate installation results
  • Here, you can view the Certificate’s SAN details.

    Certificate Subject Alternative Name details

Troubleshooting

Issue

The certificate generated doesn’t include SAN (Subject Alternative Name) entry even after adding SAN in the additional attributes field.

Cause

If Microsoft CA’s issuance policy is not set up to accept the Subject Alternative Name(s) attribute via the CA Web enrollment page, executing the preceding steps could not result in a certificate that includes a SAN entry.

Solution

To solve this, we need to run this command through the administrative command prompt:

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

CA's web enrollment page

After running this command, make sure to restart the ADCS Services by running

net stop certsvc and net start certsvc

Now, you can create the certificate with the SAN entry by using the CA’s web enrollment page.

Microsoft CA's issuance policy

If you need help with your PKI environment, feel free to email us at info@encryptionconsulting.com

Conclusion

All the domain names and IP addresses protected by the certificate are organized into a SAN or subject alternative name. You can easily add SAN entries to the certificates by following the certain instructions depicted in this blog. There is an issue when the certificate generated comes out without a SAN entry, even after adding a SAN entry. This can be solved by running a single command which adds the entry, and now you can create the certificate.

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download
Encryption Services

About the Author

Nishiket Kumar is a Consultant at Encryption Consulting, working with PKIs, HSMs and working as a consultant with high-profile clients.

Let's talk