Automatically create Subject Alternate Name (SAN) Certificates

windows-server-2008-r2 certificate certificate-authority ad-certificate-services
5,924

You would need to create a new Computer certificate template with the option Subject Name: Supply in the request selected. You will need to provide both the subject name and alternate subject name within the request.

Unfortunately, there is no way to autoenroll with this option, as Windows Certificate Services only allows the use of DNS name or SPN for the alternate.

As an aside, doing something like this would not be considered a security best practice, as an attacker can perform man-in-the-middle attacks with a forged certificate.

Share:
5,924

Related videos on Youtube

Jonathan
Author by

Jonathan

By Day: Work as a DevOps Engineer at allcloud.io By Night: Drumming along, playing with smart devices

Updated on September 18, 2022

Comments

  • Jonathan
    Jonathan over 1 year

    We are running an enterprise CA on Windows 2008R2. I just did an update to windows 7 on my workstation. Now every time I connect to a remote server using rdp I get a warning stating that the servername is wrong. This is because I use just the hostname for connecting and the cert is created using the fqdn.

    The certificates on the servers have been created using autoenrollment with a template based on the computer template.

    Is there a way to automatically include the hostname as a subject alternate name (san) and still use autoenrollment? I would like the autoenrolled certificates to have server and server.domain.local as a valid name.

  • Ashmeet Singh
    Ashmeet Singh about 12 years
    The entire FQDN makes up the unique identity of the computer; it is not possible for a client to just use part of the name. The only way to work around this is to manually supply the alternate name as part of the request, which must then be manually approved. This is by design to keep people from unknowingly creating unsafe certificates.
  • fjch1997
    fjch1997 about 4 years
    It's possible to give certain (trusted) users the perimission to auto-enroll in the Security tab of the certificate template.
  • Auditor
    Auditor over 2 years
    Thanks to this post that cleared my question as I lost my hair while looking for a Microsoft public document which I haven't found. This confirmed my doubts. Thanks

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Cannot issue Computer cert to standalone computer from my ECA
How can I get SBS2011 to issue certificates?
Domain Controller promotion and certificate autoenrollment
Cross Forest Certificate Authority
AD CS: Certificate Template not available
Error enrolling "Kerberos Authentication" certificate in a sparse network
How to configure what certificates can be issued using Web Enrollment in Windows Server 2008 R2 Enterprise?
Microsoft CA certificate templates expires sooner than expected
Trusted root certificate being automatically removed from store
What happens to code sign certificates when when root CA expires?