Generating SSL certificates for multi-named systems

Recently we changed the name of an application server (groan).  This application has a web front end that requires SSL.  See the problem yet?  New name=certificate mismatch.  To limit this issue, I plan to maintain both the new and old names in DNS, but how to prevent SSL from “breaking”?  One solution would be to multi-home the system, create a separate IIS site for the new IP, and assign this a second SSL certificate.  Unfortunately, our application is hostile to this approach… without making our implementation overly complex, we can have only one IIS site serving the application.

I believe the solution is to add a “Subject Alternative Name” (SAN) to the SSL cert.  Unfortunately, IIS does not make this easy.  The certificate request wizard does not allow for the specification of a SAN.  Once again, it is the command line to the rescue…

The following KB details use of the certreq.exe command line tool to generate a certificate signing request with SAN, suitable for submission to a third-party CA:

The instructions worked fairly well for me, except that I needed to change the “RequestType” to “PKCS10” from “CMC”, as shown here:

So, here is a representation of my certreq.exe .inf file:


Signature=”$Windows NT$

Subject = “CN=[FQDN of Server],OU=Enterprise Technology Services,O=University of Vermont,L=Burlington,ST=Vermont,C=US”
Exportable = FALSE
KeyLength = 1024   
KeySpec = 1             ; Key Exchange
KeyUsage = 0xA0     ; Digital Signature, Key Encipherment
MachineKeySet = True
ProviderName = “Microsoft RSA SChannel Cryptographic Provider”
ProviderType = 12
RequestType = PKCS10

OID= ; Server Authentication
CertificateTemplate = WebServer
SAN=”dns=[FQDN from CN]&dns=[Original FQDN of Server]”

Note the syntax of the “SAN” line.  Be sure to use “dns=” twice… once for each FQDN.

New generate the certificate request file:

certreq.exe -new cerreq.inf certreq.req

Cut and paste the contents of your .req file into the application for your third-party CA cert.

Today I used:

Look!  Free certificates for “.edu” (higher education, and the like) customers!  Certificate generation is a bit slow, but then what do you expect for free?  I wonder what will happen when their root certificate expires in 2009?

One thought on “Generating SSL certificates for multi-named systems”

  1. Of course, this did not actually work… ipsCA did not respect the request for a SAN in the CSR. I got the certificate, but it contained no SAN. Dang!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s