Q: How can I request a certificate from a Windows machine with Subject Alternate Names?

A: There are many services that use alternate names from the host name for communications, either for initial communications or ongoing. For example, work folders requires the server to authenticate when communicated to as workfolders.<domain.com>, work place join requires the AD FS server to authenticate when communicated as enterpriseregistration.<domain.com>, and there are many more. Fortunately this is easy to do.

First, ensure you have a certificate template available that machines or users can enroll with that is not configured with automatic subject name configuration. Then do the following:

  1. Within the Certificates snap-in that has been configured with focus on the local Computer Account, select Personal certificates, and select the All Tasks - Request New Certificate... action.
  2. Click Next to the enrollment wizard.
  3. Ensure Active Directory Enrollment Policy is selected and click Next.
  4. Select the certificate you want to leverage--for example, Web Server--and click the Details arrow and click Properties.
  5. In the Subject tab select the Subject Name, then the required Alternative names as the screen shot shows.
  6. Click OK, then click Enroll.

The new certificate will be available and can be configured to be used with HTTPS binding and other services.