Configure Windows based Certification Authority to issue SAN certificates

Exchange Server 2007 and Exchange Server 2010 heavily rely on certificates for the secure communications between servers and clients. Most of the exchange deployments I have seen thus far have used SAN certificates for their CAS and HT servers.

When you decide to go with a third party CA for certificate requirements you need to pay them depending upon their pricing and almost every year or depending  upon your subscription.

To avoid paying money to the third party CAs yet to keep your communications secure most of the companies prefer to deploy their own internal CAs. After you have deployed your internal CA one of the problems you normally face is with issual of a certificates that contains multiple subject names (Subject Alternative Name). Neither Windows Server 2003 nor Windows 2008/R2 are configured to issue SAN certificates by default. The default policy module that is configured during the installation of the CA keeps it disabled by default.

To allow your CA issual of certificates to the requests that contain Subject Alternate Name extension you must enable it using the CERTUTIL.EXE tool on the CA.

To enable SAN certificate issual on the CA you can follow below steps:

1. Open command prompt with elevated privilleges or an user credentials that have permissions to manage CAs.

2. Run the command certutil -setreg policyEditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

3. This command changes the values of EditFlags and adds SubjectAltName in registry located at SYSTEMCurrentControlSetServicesCertSvcConfiguration<Server Name>PolicyModulesC
ertificateAuthority_MicrosoftDefault.Policy

and the output looks like below: (Please note that the values on your CA may be different than what they look like in following example)

C:>certutil -setreg policyEditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
SYSTEMCurrentControlSetServicesCertSvcConfiguration<Server Name>PolicyModulesC
ertificateAuthority_MicrosoftDefault.PolicyEditFlags:

Old Value:
  EditFlags REG_DWORD = 11014e (1114446)
    EDITF_REQUESTEXTENSIONLIST — 2
    EDITF_DISABLEEXTENSIONLIST — 4
    EDITF_ADDOLDKEYUSAGE — 8
    EDITF_BASICCONSTRAINTSCRITICAL — 40 (64)
    EDITF_ENABLEAKIKEYID — 100 (256)
    EDITF_ENABLEDEFAULTSMIME — 10000 (65536)
    EDITF_ENABLECHASECLIENTDC — 100000 (1048576)

New Value:
  EditFlags REG_DWORD = 15014e (1376590)
    EDITF_REQUESTEXTENSIONLIST — 2
    EDITF_DISABLEEXTENSIONLIST — 4
    EDITF_ADDOLDKEYUSAGE — 8
    EDITF_BASICCONSTRAINTSCRITICAL — 40 (64)
    EDITF_ENABLEAKIKEYID — 100 (256)
    EDITF_ENABLEDEFAULTSMIME — 10000 (65536)
    EDITF_ATTRIBUTESUBJECTALTNAME2 — 40000 (262144)
    EDITF_ENABLECHASECLIENTDC — 100000 (1048576)
CertUtil: -setreg command completed successfully.
The CertSvc service may need to be restarted for changes to take effect.

4. Restart certification services using services manager snap in or command prompt.

5. Once the service is restarted you can request a certificate with SAN extension using web enrollment application.

Warning! You should not enable SAN extension support on your Enterprise Root CA. If you must enable it, it must be on one of the standalone CAs dedicated for issuing SAN certificates.

References:

Security best practices for allowing SANs in certificates

 

One thought on “Configure Windows based Certification Authority to issue SAN certificates”

Comments are closed.