How to allow an Active Directory Certificate Authority to generate Certificates with a Subject Alternative Name attribute

,

Starting with Google Chrome 58, Chrome no longer trusts certificates without the Subject Alternative Name attribute, so this makes it a little troublesome for those with internal CAs where you rely on them for Software Development. We noticed last week that some end users couldn’t hit an internal application over HTTPS, but was fine in Firefox and IE. After a quick search, I’d found the culprit was a change in the behavior of Google Chrome to adhere more stringently to RFC 2818. So I went to work on our CA in enabling certificates to be requested with the Subject Alternative Name Attribute.

Start an administrative command prompt on one of your intermediate CA server and issue the following command;

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

You’ll then need to restart Certificate Services. Once done, best thing to do is to create a new Template (ours is called Dev Web Servers) along with giving the right permissions to allow users or machines to enroll and begin issuing the new certificates. We do this manually at the moment via the Web interface.

When requesting a certificate you need to fill in the attribute text field with the following

san:dns=hostname1&dns=hostname2&dns=devweb2

Fill in the dns= part until you cover off all of the sites you need. Complete the request to install the certificate onto your server and adjust the SSL bindings to use the new certificate.


Leave a Reply

More Posts

Using custom OWA URLs in SharePoint to display your inbox as well as calendar and other items

This one has been sitting in my drafts folder for a while but last year I was experimenting with our SharePoint environment and thought it would be a cool idea to have a view of our web mail and calendar come up into our SharePoint homepage as web parts. Now if you are running SharePoint […]

Setting Up Geo-Blocking with FortiWeb IP Protection

One of our FortiWeb clients is releasing a new app and they’ve requested us to block IPs not associated with Australia.  There are a number of ways we can achieve this whether it’s via the FortiWeb, a FortiGate in front or other methods. In this instance, we’ll be using the FortiWeb IP Protection feature. This […]

Fixing KDC Authentication Problems when upgrading your domain and forest functional level from 2003 to 2008 R2

We recently upgraded our Domain and Forest Functional Level from 2003 to 2008 R2, after a day or so I started having problems connecting to a number of 2008 R2 Hyper-V Virtual Machines. When attempting to connect I would receive the following error: An Authentication Error Has Occurred. The Encryption Type Requested Is not supported […]