Create a SSL CSR from Command Line with Subject Alternate Name

Microsoft Windows

To create a CSR and include not only a CN (Common Name) but also a SAN(s) too, you can use the following process.

1. Firstly create a text file called request.inf and fill it with the following:

;----------------- request.inf -----------------
Signature= $Windows NT$
Subject = ", OU=Department, O=Organisation, L=Town, S=County, C=Country" ; replace attributes in this line using example below
KeySpec = 1
KeyLength = 2048
; Can be 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
FriendlyName = vdm
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = Microsoft RSA SChannel Cryptographic Provider
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
OID= ; this is for Server Authentication
[Extensions] = "{text}"
_continue_ = ""
_continue_ = ""

2. Now run this command to create a CSR:

> certreq -new request.inf certreq.txt

You can check it has the right info here: before sending to your CA.

3. Send this CSR to your CA, when you get the file back run the command below:

 > certreq -accept cert.cer

4. To ensure it has been added correctly, check the Certificate MMC snap-in.

Leave a Reply

Your email address will not be published.