Howto: Enable SAN Certificates on Internal CA

Today I faced a problem where I needed to deploy two certicates for some internal use. Like many times before I used our internal Certificate Authority and requested a Web Server certificat, however due to Chrome/Edge new security, the certicate rendered unsecure, as the Webserver didn’t managed to prove it was the owner of the certificate.

The reason being that now a days we rely on the Subject Alternate Name in the certificate to also include the name, not just the common name of the certificate.

Well knowing my attributes i revoked the initial request and made a new one containing the san:dns attribute, sadly however the issued certificate totally omitted that. If you face the same challenge read along

On your Internal Certificate Authority

First of all, make a backup of the registry key 😀

Secondly open commandprompt as administrator (not powershell) and use this command

Change the registry value of EditFlags located in HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CertSvc\Configuration\TV2Bornholm-CA\PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\EditFlags (Hex val:15014e) 

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
#restart the services
net stop certsvc && net start certsvc

Old Value:
  EditFlags REG_DWORD = 11014e (1114446)

New Value:
  EditFlags REG_DWORD = 15014e (1376590)

Once that is completed you can go ahead and request a certificate using a normal certificate request via https://<internal-CA>/certsrv

In the certificate request

Select advanced and fill in attribute like this

san:dns=room.domain.tld

or if you need multiple SAN names

san:dns=room.domain.tld&dns=kitchen.somewhere.com&dns=kitchen

Import the signed certificate to the webserver and reload.

Now your browser should gladly accept the certificate.

Leave a Reply

© 2021: Noervig's notes | Easy Theme by: D5 Creation | Powered by: WordPress