To create a CSR and include not only a CN (Common Name) but also a SAN(s) too, you can use the following process. 1. Firstly create a text file called request.inf and fill it with the following:
;----------------- request.inf ----------------- [Version] Signature= $Windows NT$ [NewRequest] Subject = "CN=host0.oaklands.ac.uk, OU=Department, O=Organisation, L=Town, S=County, C=Country" ; replace attributes in this line using example below KeySpec = 1 KeyLength = 2048 ; Can be 2048, 4096, 8192, or 16384. ; Larger key sizes are more secure, but have ; a greater impact on performance. Exportable = TRUE FriendlyName = vdm MachineKeySet = TRUE SMIME = False PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = Microsoft RSA SChannel Cryptographic Provider ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0 [EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication [Extensions] 2.5.29.17 = "{text}" _continue_ = "dns=host1.domain.com&" _continue_ = "dns=host2.domain.com" ;----------------------------------------------- |
2. Now run this command to create a CSR:
> certreq -new request.inf certreq.txt |
3. Send this CSR to your CA, when you get the file back run the command below:
> certreq -accept cert.cer |
4. To ensure it has been added correctly, check the Certificate MMC snap-in. |