Please refer to the steps below on how to generate CSR from Windows Server with SAN (Subject Alternative Name) as SSL certificates generated from IIS do not contain a SAN
Google Chrome requires SSL certificates to use SAN (Subject Alternative Name) instead of the popular Common Name (CN) since version 58 – https://www.thesslstore.com/blog/security-changes-in-chrome-58/
- Run “certlm.msc” to open the Certificate – Local Computer
- Right click on Personal and select All Tasks – Advanced Operations – Create Custom Request
- Click Next
- Select Custom Request – Proceed without enrollment policy and click Next
- Click Next
- Expand Detail and click on Properties
- Enter Name & Description
- Select DNS with *.aventislab.com – this will be the SAN (Subject Alternative Name) included in our SSL Certificate
- Change the Key Size to 2048 and Check Make Private Key Exportable
- Enter C:\temp\aventislab.req to export the CSR File
- Login to LAB-AD01 which is our Enterprise Root CA Server, and run “certreq -submit -attrib “CertificateTemplate:webserver” C:\temp\aventislab.req C:\temp\aventislab.cer” to generate the aventislab.cer file
certreq -submit -attrib "CertificateTemplate:webserver" C:\temp\aventislab.req C:\temp\aventislab.cer
Active Directory Enrollment Policy
{C14446F0-EC5A-4A11-8BCD-EC6B0044C156}
ldap:
RequestId: 7
RequestId: "7"
Certificate retrieved(Issued) Issued
Import the SSL Certificate and generate the PFX File
- Go to Certificate – Local Computer and select Import
- Select c:\temp\aventislab.cer
- Place the certificate in Personal
- Verify the SAN (Subject Alternative Name) is included
- Right click *.aventislab.com and select Export
- Select Yes, export the private key
- Click Next
- Enter Password for the Private Key
- Export the PFX file to C:\temp\aventislab.pfx
We can keep the PFX file and import it to Microsoft Exchange Server or IIS Web Server later.