Howto: Enable SAN Certificates on Internal CA
Today I faced a problem where I needed to deploy two certicates for some internal use. Like many times before I used our internal Certificate Authority and requested a Web Server certificat, however due to Chrome/Edge new security, the certicate rendered unsecure, as the Webserver didn’t managed to prove it was the owner of the certificate.
The reason being that now a days we rely on the Subject Alternate Name in the certificate to also include the name, not just the common name of the certificate.
Well knowing my attributes i revoked the initial request and made a new one containing the san:dns attribute, sadly however the issued certificate totally omitted that. If you face the same challenge read along
On your Internal Certificate Authority
First of all, make a backup of the registry key 😀
Secondly open commandprompt as administrator (not powershell) and use this command
Change the registry value of EditFlags located in HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CertSvc\Configuration\TV2Bornholm-CA\PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\EditFlags (Hex val:15014e) certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2 #restart the services net stop certsvc && net start certsvc Old Value: EditFlags REG_DWORD = 11014e (1114446) New Value: EditFlags REG_DWORD = 15014e (1376590)
Once that is completed you can go ahead and request a certificate using a normal certificate request via https://<internal-CA>/certsrv
In the certificate request
Select advanced and fill in attribute like this
san:dns=room.domain.tld or if you need multiple SAN names san:dns=room.domain.tld&dns=kitchen.somewhere.com&dns=kitchen
Import the signed certificate to the webserver and reload.
Now your browser should gladly accept the certificate.