Howto: Enable SAN Certificates on Internal CA
Today I faced a problem where I needed to deploy two certicates for some internal use. Like many times before I used our internal Certificate Authority and requested a Web Server certificat, however due to Chrome/Edge new security, the certicate rendered unsecure, as the Webserver didn’t managed to prove it was the owner of the certificate.
The reason being that now a days we rely on the Subject Alternate Name in the certificate to also include the name, not just the common name of the certificate.
Well knowing my attributes i revoked the initial request and made a new one containing the san:dns attribute, sadly however the issued certificate totally omitted that. If you face the same challenge read along
On your Internal Certificate Authority
First of all, make a backup of the registry key 😀
Secondly open commandprompt as administrator (not powershell) and use this command
Change the registry value of EditFlags located in HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CertSvc\Configuration\TV2Bornholm-CA\PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\EditFlags (Hex val:15014e)
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
#restart the services
net stop certsvc && net start certsvc
EditFlags REG_DWORD = 11014e (1114446)
EditFlags REG_DWORD = 15014e (1376590)
Once that is completed you can go ahead and request a certificate using a normal certificate request via https://<internal-CA>/certsrv
In the certificate request
Select advanced and fill in attribute like this
or if you need multiple SAN names
Import the signed certificate to the webserver and reload.
Now your browser should gladly accept the certificate.