Home > Active Directory > How to add a Subject Alternative Name to a secure LDAP certificate

How to add a Subject Alternative Name to a secure LDAP certificate

I commonly need to use PKI certificates that are bound to a single IP address but host multiple DNS service names, typically spanning several ports.  This can easily be done by adding Subject Alternate Names to a certificate. However, if you are using an internal Windows Certificate Authority, you must first enable this feature.  To do so, follow this KB.

How to configure a CA to accept a SAN attribute from a certificate request

By default, a CA that is configured on a Windows Server 2003-based computer does not issue certificates that contain the SAN extension. If SAN entries are included in the certificate request, these entries are omitted from the issued certificate. To change this behavior, run the following commands at a command prompt on the server that runs the Certification Authority service. Press ENTER after each command.
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc

How to use Web enrollment pages to submit a certificate request to a stand-alone CA

To submit a certificate request that includes a SAN to a stand-alone CA, follow these steps:

In the Attributes box, type the desired SAN attributes. SAN attributes take the following form:

  1. Open Internet Explorer. 
  2. In Internet Explorer, connect to http://servername/certsrv(Servername= your CA server, which must have Certificate Services Web Enrollment Support installed.)
I have added several dozen DNS names on a single cert that has worked well.
Ed McKinzie

Categories: Active Directory
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: