How to Add a Subject Alternative Name to a secure LDAP Certificate in SBS 2008.

  • Article

This method can only be used with self assigned certs (To request certificate from an Internal MS CA) and not with 3rd party certs. To get SAN for a 3rd party cert contact the vendor. (We can use the same .req file to request 3rd party SAN certificate).

There may be certain situation where we may need SAN Certs. example; Entourage 2008 prompting for SSL while configured with Exchange 2007.
Entourage 2008 utilizes web services if its connecting to an Exchange 2007 CAS with Service Pack 1 installed. This communication happens over port 80 (without SSL) or 443 (with SSL) as per the server side configuration. This content does not cover the configuration on Entourage part.

You may refer to the following links which gives some basics information;
https://www.microsoft.com/mac/itpros/default.mspx?clr=99-15-0&srcid=ba6801bf-4fda-4359-bbf8-531245df76811033&ep=9&target=d41b4196-4321-48f7-9900-cbf678ac819c1033
https://blogs.technet.com/amir/archive/2008/02/08/how-does-entourage-work.aspx
https://technet.microsoft.com/en-us/library/bb124251.aspx

There maybe more resources and it would probably help if you could email them to me via my blog. I’d be more than happy to update this post with them.

How to configure a CA to accept a SAN attribute from a certificate request:

Update: The below steps are unsafe and one should use the following article instead: https://technet.microsoft.com/en-us/library/ff625722(v=WS.10).aspx

By default, a CA that is configured on a SBS 2008 based computer does not issue certificates that contain the SAN extension. If SAN entries are included in the certificate request, these entries are omitted from the issued certificate. To change this behavior, run the following commands at a command prompt on the server that runs the Certification Authority service. Press ENTER after each command.

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

net stop certsvc && net start certsvc

How to use the Certreq.exe utility to create and submit a certificate request that includes a SAN

To use the Certreq.exe utility to create and submit a certificate request, follow these steps:

Create an .inf file that specifies the settings for the certificate request. You can use the following sample code to create an .inf file.

=================================================
[Version]
Signature="$Windows NT$

[NewRequest]
Subject = "CN=remote.contoso.local"
KeySpec = 1
KeyLength = 1024
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1

[RequestAttributes]
CertificateTemplate = WebServer
SAN="dns=autodiscover.contoso.local&dns=remote.contoso.local&dns=servername&dns=contoso.local&dns=servername.contoso.local&dns=contoso.com"
==================================================

Ø Save the file as Request.inf.
Ø You can add more SANs simply by adding &dns= between the quotes.
Ø Open a command prompt.
Ø At the command prompt, type the following command, and then press ENTER:

certreq -new request.inf certnew.req

This command uses the information in the Request.inf file to create a request in the format that is specified by the RequestType value in the .inf file. When the request is created, the public and private key pair is automatically generated and then put in a request object in the enrollment requests store on the local computer.

Ø You can check if the request has been created successfully by running the following command.
Certutil -dump certnew.req

Ø To submit the request,
Ø At the command prompt, type the following command, and then press ENTER:
certreq -submit certnew.req certnew.cer

Ø You will see a prompt asking you to select the certificate authority and since we only have one, you can click ok.
Ø Once you click ok, you will be asked to save it.
Ø Open MMC, Add Certificates (Local Computer), Expand Personal, Right click on Certificate and import the cert.
Ø Once done, double click the cert. and then go to the 'Details' tab.
Ø There, click on Subject Alternative Name and check if the desired SANs are there.
Ø Also make a note of the Thumbprint, we will need this to import the cert to appropriate exchange service.
Ø Now you need to assign this certificate to appropriate exchange services.
Ø From Exchange Command Shell type,

Get-ExchangeCertificates.

Ø Copy the thumbprint of the cert you want to import.
Ø Now run the following command to import.

Enable-ExchangeCertificate -thumbprint <certificate-thumbprint> -services "IIS,POP,IMAP"

Ø In the above command replace the <certificate-thumbprint> with the one in clipboard.

Once done, you can check from ISS or by browsing any of the websites to ensure the right certificate is visible.

Reference KB
KB 931351 How to add a Subject Alternative Name to a secure LDAP certificate
https://support.microsoft.com/kb/931351

Thanks to Ashish, Suren and Pradeep for their inputs.