How to generate a certificate with SAN attributes

How to generate a certificate with SAN attributes

Issue Description

Modern browsers require that certificates have a SAN attribute. IIS does not support this type of certificate so for modern browsers the certificate cannot be generated through IIS.

Also check with your network admin to see if there is a different process required for generating certificates.

Generating a Domain Certificate through MMC via a Domain Certificate Authority

  1. Note: This requires the network to have a domain server that can issue certificates.
  2. Open Manage Computer Certificates app, from Start->Run->type certlm.msc and OK
  3. Right-click on the Personal node->All Tasks->Advanced Operations->Custom Request->click Next in the welcome screen.
  4. In "Select Certificate Enrollment Policy" choose "Active Directory Enrollment Policy".
  5. In the next screen, pick up a certificate template designated for web server use. It should be called "Web Server" or "Web.SAN" but its name may vary. Then, choose "Request Format" -> "PKCS #10"
  6. In "Certificate Information", click on the "Details" of the request and then click "Properties" button to customize the certificate request as follows:
  7. Customize the info from the tab "Subject"
    • In the group "Subject name", choose Type -> Common Name and Value -> the fully qualified domain name of the machine (FQDN), e.g. myhost.domain.local. Then click Add.
    • In the group "Alternative name", choose Type -> DNS and Value -> the machine's FQDN (the same as above). Then click Add.
    • If Orchestrator will be installed on multiple nodes, you need to add all these FQDNs as in the above point. Also add the FQDN of the load balancer.
  8. Customize the info from the tab "Private Key"
    • In "Cryptographic Service Provider" go to "Select cryptographic service provider (CSP)" and check "Microsoft RSA SChannel cryptographic Provider (Encryption)"
    • In "Key options", make sure field "Key Size" is set to at least 2048 and "Make private key exportable" is checked.
    • In "Key type", make sure "Key usage" is set to "Exchange"
  9. Click on "OK" button of the configuration window and "Next" in the "Certificate Information" screen.
  10. In the next screen, choose "File format" -> "Base 64" and a file name of your choice, e.g. C:\Users\YourUser\Documents\sslRequest.req
  11. After the enrollment request gets accepted (on the Authority side), the certificate will be visible in the Personal store.