One of our DEV environments had a CA signed SSL certificate with 30 Alternative names, every time a new site was added I had to re-generate the cert and an additional DNS entry. Doing it through the wizard took forever and I set out to find a script to do this. I found the script on one of the technet blogs from Microsoft but the url no longer works so dumping this info here.
The below command will generate one certificate request for 3 sites, you can add as many alternative DNS names as you want. You can download the cert here if you want to take a look at it. I’m testing some F5 features now so needed to generate a cert so pasting all the details below.
mysite.mylab.local
server1.mylab.local
server2.mylab.local
-If you want subject line to be empty remove use Subject=
-If you don’t want to use a template remve the RequestAttributes section
This command will generate a multi-domain CA signed SSL cert request. run it on one of your Domain Controllers where the CA Authority is installed. You may have to change the ‘CertificateTemplate= WebServer’ name if you changed your template names.
C:\temp\certreq -new request.inf request.csrThe request.inf input file that’s used to create the CSR
;----------------- request.inf -----------------
[Version]
Signature="$Windows NT$"
[NewRequest]
Subject = "CN=mysite.mylab.local" ; For a wildcard use "CN=*.CONTOSO.COM" for example
; For an empty subject use the following line instead or remove the Subject line entirely
; Subject =
Exportable = TRUE ; Private key is not exportable
KeyLength = 2048 ; Common key sizes: 512, 1024, 2048, 4096, 8192, 16384
KeySpec = 1 ; AT_KEYEXCHANGE
KeyUsage = 0xE0 ; Digital Signature, Key Encipherment
MachineKeySet = True ; The key belongs to the local computer account
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
SMIME = FALSE
RequestType = CMC
; At least certreq.exe shipping with Windows Vista/Server 2008 is required to interpret the [Strings] and [Extensions] sections below
[Strings]
szOID_SUBJECT_ALT_NAME2 = "2.5.29.17"
szOID_ENHANCED_KEY_USAGE = "2.5.29.37"
szOID_PKIX_KP_SERVER_AUTH = "1.3.6.1.5.5.7.3.1"
szOID_PKIX_KP_CLIENT_AUTH = "1.3.6.1.5.5.7.3.2"
[Extensions]
%szOID_SUBJECT_ALT_NAME2% = "{text}dns=mysite.mylab.local&dns=server1.mylab.local&dns=server2.mylab.local"
%szOID_ENHANCED_KEY_USAGE% = "{text}%szOID_PKIX_KP_SERVER_AUTH%,%szOID_PKIX_KP_CLIENT_AUTH%"
[RequestAttributes]
CertificateTemplate= WebServer
;----------------- request.inf -----------------
Generating the SSL cert
Do the below to Generat the .crt file
- Start > Run > mmc, Certificates Authority > Add > Finish
- mylab-DC-CA > right-click > All Tasks > Submit new request
- Browse to request.csr click Open
- You will get a pop up Save As > Save the cert as “mysite.mylab.local.crt”
Now that you have the .crt file you need to export a .pfx file which contains the private key. You need to run this on the same server that generated the cert as only that server contains the private key.
- Start > Run > mmc > Certificates > Computer Account > Finish
- Expand Personal > Certificates, right-click All tasks > Import
- Browse to the .crt file
- Place in personal cert store next Finish
- Locate the cert in personal cert store > All Tasks > Export
- Yes, export the private key
- Personal Information Exchange – PKCS #12 (.PFX)
- check mark Include all certificates in the certification path if possible
- check mark Export all extended properties
- set a pwd
- save as mysite.mylab.local.pfx
- Now you can import the .pfx file to IIS or wherever you need it
Add the friendly name below subject so IIS shows a Friendly name column
FriendlyName = “My Own Friendly Name”
KeyLength = 4096
HashAlgorithm = sha512