Generating a Multi-Domain CA signed SSL certificate request

One of our DEV environments had a CA signed SSL certificate with 30 Alternative names, every time a new site was added I had to re-generate the cert and an additional DNS entry. Doing it through the wizard took forever and I set out to find a script to do this. I found the script on one of the technet blogs from Microsoft but the url no longer works so dumping this info here.

The below command will generate one certificate request for 3 sites, you can add as many alternative DNS names as you want. You can download the cert here if you want to take a look at it. I’m testing some F5 features now so needed to generate a cert so pasting all the details below.

-If you want subject line to be empty remove use Subject=
-If you don’t want to use a template remve the RequestAttributes section

This command will generate a multi-domain CA signed SSL cert request. run it on one of your Domain Controllers where the CA Authority is installed. You may have to change the ‘CertificateTemplate= WebServer’ name if you changed your template names.

C:\temp\certreq -new request.inf request.csr

The request.inf input file that’s used to create the CSR

;----------------- request.inf -----------------

Signature="$Windows NT$"

Subject = "CN=mysite.mylab.local"   ; For a wildcard use "CN=*.CONTOSO.COM" for example 
; For an empty subject use the following line instead or remove the Subject line entirely 
; Subject = 
Exportable = TRUE                   ; Private key is not exportable 
KeyLength = 2048                    ; Common key sizes: 512, 1024, 2048, 4096, 8192, 16384 
KeySpec = 1                         ; AT_KEYEXCHANGE 
KeyUsage = 0xE0                     ; Digital Signature, Key Encipherment 
MachineKeySet = True                ; The key belongs to the local computer account 
ProviderName = "Microsoft RSA SChannel Cryptographic Provider" 
ProviderType = 12 
RequestType = CMC

; At least certreq.exe shipping with Windows Vista/Server 2008 is required to interpret the [Strings] and [Extensions] sections below


%szOID_SUBJECT_ALT_NAME2% = "{text}dns=mysite.mylab.local&dns=server1.mylab.local&dns=server2.mylab.local" 

CertificateTemplate= WebServer

;----------------- request.inf -----------------

Generating the SSL cert

Do the below to Generat the .crt file

  1. Start > Run > mmc, Certificates Authority > Add > Finish
  2. mylab-DC-CA > right-click > All Tasks > Submit new request
  3. Browse to request.csr click Open
  4. You will get a pop up Save As > Save the cert as “mysite.mylab.local.crt”

Now that you have the .crt file you need to export a .pfx file which contains the private key. You need to run this on the same server that generated the cert as only that server contains the private key.

  1. Start > Run > mmc > Certificates > Computer Account > Finish
  2. Expand Personal > Certificates, right-click All tasks > Import
  3. Browse to the .crt file
  4. Place in personal cert store next Finish
  5. Locate the cert in personal cert store > All Tasks > Export
  6. Yes, export the private key
  7. Personal Information Exchange – PKCS #12 (.PFX)
  8. check mark Include all certificates in the certification path if possible
  9. check mark Export all extended properties
  10. set a pwd
  11. save as mysite.mylab.local.pfx
  12. Now you can import the .pfx file to IIS or wherever you need it
This entry was posted in Microsoft, Scripting and tagged , , . Bookmark the permalink.

2 Responses to Generating a Multi-Domain CA signed SSL certificate request

  1. noone says:

    Add the friendly name below subject so IIS shows a Friendly name column

    FriendlyName = “My Own Friendly Name”

  2. says:

    KeyLength = 4096
    HashAlgorithm = sha512

Leave a Reply

Your email address will not be published. Required fields are marked *