How to create self-signed SAN certificate in IIS?
Solution 1
Unfortunately, IIS manager cannot create certificates or requests with SAN extension. You have to use something else. For example, PowerShell or certreq.exe tool (both are included in the box).
PowerShell
Minimum required parameters
New-SelfsignedCertificate `
-DnsName "mysite.com","www.mysite.com" `
-CertStoreLocation cert:\localmachine\my
More detailed parameters
New-SelfsignedCertificate -Subject "CN=www.mysite.com" `
-DnsName "mysite.com","www.mysite.com" `
-EKU "Server Authentication" `
-KeySpec "KeyExchange" `
-KeyUsage "DigitalSignature", "KeyEncipherment" `
-FriendlyName "My web site"
-NotAfter $([datetime]::now.AddYears(1)) `
-CertStoreLocation cert:\localmachine\my
CertReq.exe
Prepare INF template file (with .inf file extension) with the following contents:
[NewRequest]
Subject = "CN=www.mysite.com"
KeyLength = 2048
KeyAlgorithm = RSA
ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider"
MachineKeySet = true
KeySpec = 1
KeyUsage = 0xa0
RequestType = Cert
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; server authentication
[Extensions]
2.5.29.17 = "{text}"
_continue_ = "dns=mysite.com&"
_continue_ = "dns=www.mysite.com"
And then execute the following command against this INF file:
certreq -new path\myinftemplate.inf
Solution 2
What version of Windows? If it is a newer version of Windows, it would probably be easier to just open up powershell and use the New-SelfSignedCertificate commandlet. You can use the -DnsName
to provide a list of all the names you want in your SAN.
Related videos on Youtube
Denise
Updated on September 18, 2022Comments
-
Denise over 1 year
Is it possible to create a self-signed SAN ssl certificate in IIS? If so, how do I go about creating it? In IIS, I only see the option of creating a normal ssl certificate:
-
Denise over 6 yearsHi, what's the difference between common name and DnsName? @Crypt32
-
Denise over 6 yearsAfter using the powershell script, what command do I use to allow this script to run? Because it seems stuck after that.
-
Denise over 6 yearsMy powershell says
the term new self-signed certifcate is not recognised as a cmdlet
-
Denise over 6 yearsIt's windows server 2012. I tried, but my powershell says
the term new self-signed certifcate is not recognised as a cmdlet
-
Crypt32 over 6 yearsSorry, it was a typo in command name. Now the name is correct.
-
Greg W over 6 yearsBecause the command is “New-SelfSignedCertificate” not “new self-signed certificate”.