Q: Do I need to upgrade to Windows Server 2008 to get Alternative Name (SAN) certificate support, or can I create a SAN certificate for my Windows Server 2003 web server using a Server 2003 Certification Authority (CA)? I'd like to include the www.mycompany.net and a www.mycompany.com namespaces in the certificates' SAN fields.

A: A Server 2003 CA can create of SAN certificates, but it doesn't support this option by default. Before you can issue SAN certificates, you must change the configuration of the Server 2003 CA. This configuration change can only be done from the command line, with the following:

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc

The last two commands stop and restart the CA service to apply the configuration change, effectively.

Next, to obtain a SAN certificate from a Server 2003 CA for your Server 2003 web server, you must use either the CA Web enrollment pages or the certreq.exe command line utility. You can't use the Certificate Request Wizard to obtain a SAN certificate on a Server 2003 system.

In the example in the question, to obtain a SAN certificate for a web server with the www.mycompany.com and the www.mycompany.net DNS namespaces using the CA Web enrollment pages, follow these steps:

  • From the web server where you want to install the SAN certificate, use a browser to connect to the CA Web enrollment pages. The default URL is http://<CA_Server_Name>/certsrv.
  • Click Request a certificate.
  • Click advanced certificate request.
  • Click Create and submit a request to this CA.
  • Select the Web Server certificate template and fill in the name of your web server. Most importantly, in the Additional Options section (at the bottom of the page), in the Attributes field, fill in the SAN attribute using the following syntax, as illustrated:
    san:dns=www.mycompany.com&dns=www.mycompany.net

    Click to expand.

  • Click Submit to send the certificate request to the CA.
  • If the certificate was generated successfully, you'll get a web page that gives you the option to install the certificate.

The Windows Server 2003 procedure for obtaining SAN certificates is outlined in greater detail in the Microsoft Knowledge Base.

Related Reading: