Recently we changed the name of an application server (groan). This application has a web front end that requires SSL. See the problem yet? New name=certificate mismatch. To limit this issue, I plan to maintain both the new and old names in DNS, but how to prevent SSL from “breaking”? One solution would be to multi-home the system, create a separate IIS site for the new IP, and assign this a second SSL certificate. Unfortunately, our application is hostile to this approach… without making our implementation overly complex, we can have only one IIS site serving the application.
I believe the solution is to add a “Subject Alternative Name” (SAN) to the SSL cert. Unfortunately, IIS does not make this easy. The certificate request wizard does not allow for the specification of a SAN. Once again, it is the command line to the rescue…
The following KB details use of the certreq.exe command line tool to generate a certificate signing request with SAN, suitable for submission to a third-party CA:
The instructions worked fairly well for me, except that I needed to change the “RequestType” to “PKCS10” from “CMC”, as shown here:
So, here is a representation of my certreq.exe .inf file:
Subject = “CN=[FQDN of Server],OU=Enterprise Technology Services,O=University of Vermont,L=Burlington,ST=Vermont,C=US”
Exportable = FALSE
KeyLength = 1024
KeySpec = 1 ; Key Exchange
KeyUsage = 0xA0 ; Digital Signature, Key Encipherment
MachineKeySet = True
ProviderName = “Microsoft RSA SChannel Cryptographic Provider”
ProviderType = 12
RequestType = PKCS10
OID=184.108.40.206.220.127.116.11.1 ; Server Authentication
CertificateTemplate = WebServer
SAN=”dns=[FQDN from CN]&dns=[Original FQDN of Server]”
Note the syntax of the “SAN” line. Be sure to use “dns=” twice… once for each FQDN.
New generate the certificate request file:
certreq.exe -new cerreq.inf certreq.req
Cut and paste the contents of your .req file into the application for your third-party CA cert.
Today I used:
Look! Free certificates for “.edu” (higher education, and the like) customers! Certificate generation is a bit slow, but then what do you expect for free? I wonder what will happen when their root certificate expires in 2009?