How to allow an Active Directory Certificate Authority to generate Certificates with a Subject Alternative Name attribute

,

Starting with Google Chrome 58, Chrome no longer trusts certificates without the Subject Alternative Name attribute, so this makes it a little troublesome for those with internal CAs where you rely on them for Software Development. We noticed last week that some end users couldn’t hit an internal application over HTTPS, but was fine in Firefox and IE. After a quick search, I’d found the culprit was a change in the behavior of Google Chrome to adhere more stringently to RFC 2818. So I went to work on our CA in enabling certificates to be requested with the Subject Alternative Name Attribute.

Start an administrative command prompt on one of your intermediate CA server and issue the following command;

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

You’ll then need to restart Certificate Services. Once done, best thing to do is to create a new Template (ours is called Dev Web Servers) along with giving the right permissions to allow users or machines to enroll and begin issuing the new certificates. We do this manually at the moment via the Web interface.

When requesting a certificate you need to fill in the attribute text field with the following

san:dns=hostname1&dns=hostname2&dns=devweb2

Fill in the dns= part until you cover off all of the sites you need. Complete the request to install the certificate onto your server and adjust the SSL bindings to use the new certificate.


Leave a Reply

More Posts

Issues Deploying a Custom Windows 10 Start Menu Layout when using an image with a Default Profile

So I’m in the final stages of getting our Windows 10 Deployment ready to go and I am currently in the process of branding and customising our image, which includes setting a custom Start Menu Tile Layout.  This is done with the use of two PowerShell commands Export-StartMenuLayout and Import-StartMenuLayout. I created our preferred start menu, […]

Getting Folder Sizes and number of items in a Mailbox for a particular user on Microsoft Exchange using PowerShell

Recently one of our high-end users was going over their mailbox limit. In helping them to cut down I like to let them know what folders are using up the most of their quota (generally it is their sent items folder, but sometimes not). Executing the below PowerShell command in an Exchange Administration Shell gave […]

Adding a ToolTip to a Picture Control in VB.Net

So here is a quick one. I was recently developing a small application written in VB.Net and went to add a tool tip to a picture control displaying the Windows UAC Shield but found that I couldn’t.  So after a litle poke around I found that I could initialise the ToolTip method and apply to […]