Freitag, 5. November 2010

How to enable SAN certificate issuing on a Windows CA

The following post is more for me than for public. :-)

Exchange Server 2007 and Exchange Server 2010 heavily rely on certificates for the secure communications between servers and clients.

When you decide to go with a third party CA for certificate requirements you need to pay them depending upon their pricing and almost every year or depending upon your subscription.

To avoid paying money for a third party CAs yet to keep your communications secure most of the companies prefer to deploy their own internal CAs. After you have deployed your internal CA one of the problems you normally face is with issual of a certificates that contains multiple subject names (Subject Alternative Name). Both Windows Server 2003 and Windows 2008/R2 are NOT configured to issue SAN certificates by default. The default policy module that is configured during the installation of the CA keeps it disabled by default.

To allow our Windows CA issual of certificates to the requests that contain Subject Alternate Name extension you must enable it using the CERTUTIL.EXE tool on the CA.

To enable SAN certificate issual on the CA you can follow below steps:

1. Open command prompt with elevated privilleges or an user credentials that have permissions to manage CAs.

2. Run the command certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

3. This command changes the values of EditFlags and adds SubjectAltName in registry located at SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<Server Name>\PolicyModules\C

ertificateAuthority_MicrosoftDefault.Policy

and the output looks like below: (Please note that the values on your CA may be different than what they look like in following example)

C:\>certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<Server Name>\PolicyModules\C

ertificateAuthority_MicrosoftDefault.Policy\EditFlags:


Old Value:

EditFlags REG_DWORD = 11014e (1114446)

EDITF_REQUESTEXTENSIONLIST — 2

EDITF_DISABLEEXTENSIONLIST — 4

EDITF_ADDOLDKEYUSAGE — 8

EDITF_BASICCONSTRAINTSCRITICAL — 40 (64)

EDITF_ENABLEAKIKEYID — 100 (256)

EDITF_ENABLEDEFAULTSMIME — 10000 (65536)

EDITF_ENABLECHASECLIENTDC — 100000 (1048576)


New Value:

EditFlags REG_DWORD = 15014e (1376590)

EDITF_REQUESTEXTENSIONLIST — 2

EDITF_DISABLEEXTENSIONLIST — 4

EDITF_ADDOLDKEYUSAGE — 8

EDITF_BASICCONSTRAINTSCRITICAL — 40 (64)

EDITF_ENABLEAKIKEYID — 100 (256)

EDITF_ENABLEDEFAULTSMIME — 10000 (65536)

EDITF_ATTRIBUTESUBJECTALTNAME2 — 40000 (262144)

EDITF_ENABLECHASECLIENTDC — 100000 (1048576)

CertUtil: -setreg command completed successfully.

The CertSvc service may need to be restarted for changes to take effect.

4. Restart certification services using services manager snap in or command prompt. net stop certsvc && net start certsvc

5. Once the service is restarted you can request a certificate with SAN extension using web enrollment application.

Warning! You should not enable SAN extension support on your Enterprise Root CA. If you must enable it, it must be on one of the standalone CAs dedicated for issuing SAN certificates.


Keine Kommentare:

Kommentar veröffentlichen