To create a CSR and include not only a CN (Common Name) but also a SAN(s) too, you can use the following process.
1. Firstly create a text file called request.inf and fill it with the following:
;----------------- request.inf -----------------
[Version] Signature= $Windows NT$ [NewRequest] Subject = "CN=host0.oaklands.ac.uk, OU=Department, O=Organisation, L=Town, S=County, C=Country" ; replace attributes in this line using example below
KeySpec = 1
KeyLength = 2048
; Can be 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
FriendlyName = vdm
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = Microsoft RSA SChannel Cryptographic Provider
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0 [EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication [Extensions]
2.5.29.17 = "{text}"
_continue_ = "dns=host1.domain.com&"
_continue_ = "dns=host2.domain.com" ;----------------------------------------------- |
2. Now run this command to create a CSR:
| > certreq -new request.inf certreq.txt |
3. Send this CSR to your CA, when you get the file back run the command below:
| > certreq -accept cert.cer |
4. To ensure it has been added correctly, check the Certificate MMC snap-in. | 