Howto: Enable SAN Certificates on Internal CA

Today I faced a problem where I needed to deploy two certicates for some internal use. Like many times before I used our internal Certificate Authority and requested a Web Server certificat, however due to Chrome/Edge new security, the certicate rendered unsecure, as the Webserver didn’t managed to prove it was the owner of the certificate.

The reason being that now a days we rely on the Subject Alternate Name in the certificate to also include the name, not just the common name of the certificate.

Well knowing my attributes i revoked the initial request and made a new one containing the san:dns attribute, sadly however the issued certificate totally omitted that. If you face the same challenge read along

On your Internal Certificate Authority

First of all, make a backup of the registry key 😀

Secondly open commandprompt as administrator (not powershell) and use this command

Change the registry value of EditFlags located in HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CertSvc\Configuration\TV2Bornholm-CA\PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\EditFlags (Hex val:15014e) 

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
#restart the services
net stop certsvc && net start certsvc

Old Value:
  EditFlags REG_DWORD = 11014e (1114446)

New Value:
  EditFlags REG_DWORD = 15014e (1376590)

Once that is completed you can go ahead and request a certificate using a normal certificate request via https://<internal-CA>/certsrv

In the certificate request

Select advanced and fill in attribute like this


or if you need multiple SAN names


Import the signed certificate to the webserver and reload.

Now your browser should gladly accept the certificate.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

© 2024: Noervig's notes | Easy Theme by: D5 Creation | Powered by: WordPress