How To Generate A Certificate With SAN attributes

How to generate a certificate with SAN attributes?

Issue Description: Modern browsers require that certificates have a SAN attribute. IIS does not support this type of certificate so for modern browsers the certificate cannot be generated through IIS. Check with the network admin to see if there is a different process required for generating certificates.

Generating a Domain Certificate through MMC via a Domain Certificate Authority

Note: This requires the network to have a domain server that can issue certificates.
  1. Open Manage Computer Certificates app, from Start->Run->type certlm.msc and OK
  2. Right-click on the Personal node->All Tasks->Advanced Operations->Custom Request->click Next in the welcome screen.
  3. In "Select Certificate Enrollment Policy" choose "Active Directory Enrollment Policy".
  4. In the next screen, pick up a certificate template designated for web server use. It should be called "Web Server" or "Web.SAN" but its name may vary. Then, choose "Request Format" -> "PKCS #10"
  5. In "Certificate Information", click on the "Details" of the request and then click "Properties" button to customize the certificate request as follows:
  6. Customize the info from the tab "Subject"
    • In the group "Subject name", choose Type -> Common Name and Value -> the fully qualified domain name of the machine (FQDN), e.g. myhost.domain.local. Then click Add.
    • In the group "Alternative name", choose Type -> DNS and Value -> the machine's FQDN (the same as above). Then click Add.
    • If Orchestrator will be installed on multiple nodes, you need to add all these FQDNs as in the above point. Also add the FQDN of the load balancer.
  7. Customize the info from the tab "Private Key"
    • In "Cryptographic Service Provider" go to "Select cryptographic service provider (CSP)" and check "Microsoft RSA SChannel cryptographic Provider (Encryption)"
    • In "Key options", make sure field "Key Size" is set to at least 2048 and "Make private key exportable" is checked.
    • In "Key type", make sure "Key usage" is set to "Exchange"
  8. Click on "OK" button of the configuration window and "Next" in the "Certificate Information" screen.
  9. In the next screen, choose "File format" -> "Base 64" and a file name of your choice, e.g. C:\Users\YourUser\Documents\sslRequest.req
  10. After the enrollment request gets accepted (on the Authority side), the certificate will be visible in the Personal store.

Generating Self-Signed certificate for the custom name with SAN

  • New-SelfSignedCertificate -DnsName -CertStoreLocation cert:\localmachine\my

  1. Run the above powershell command to generate the certificate and import the same certificate from personal to trusted store.
  2. Once certificate is placed in personal and trusted root authorities, map the certificate to Orchestrator website.