Create a SAN CSR using MMC

If you want to create a Certificate Signing Request (CSR) for a Subject Alternative Names (SAN) certificate, you can use the Microsoft Management Console (MMC) to create such a request.

On a Windows computer open MMC.exe and add the Certificates snap-in.

Make sure you choose ‘Computer account’ to manage certificates for on the local computer.

Rightclick on the Certificates folder and choose ‘All Tasks’ –> ‘Advanced Operations’ –> ‘ Create Custom Request’.

Click Next on the informational screen.

Choose ‘Proceed without enrollment policy’ and click Next.

Change the Template to ‘(No template) Legacy key’ for compatibility and click Next.

Click on the Properties button to configure the CSR.

Enter a Friendly name and a description. This is only used to identify the certificate easily. Click Apply when ready and go to the Subject tab.

At the Subject name section, leave the type to Full DN. Use the Value field to enter administrative information.

Example:

CN=mail.onkelx.nl

OU=OnkelX

O=IT

L= Vleuten

S=Utrecht

C=NL

Put each of these values in the Value field and click Add to add the value.

In the Alternative name section, add all DNS names that you want as alternative names. Also include the common name that you already added in the Subject name section. This is required because if an SSL certificate has a Subject Alternative Name (SAN), then SSL clients are supposed to ignore the Common Name value and seek a match in the SAN list. Click Apply when ready and go to the Extensions tab.

Open the Extended Key Usage (application policies) section, and add ‘Server Authentication’ to the Selected options.

Click Apply and go to the Private Key tab.

Open the Key options section and set the Key size to at least 2048. If you need to export the certificate including the private key, enable the ‘Make private key exportable’ option. When ready, click Apply and OK.

All CSR information has been added now. Click Next to proceed.

Specify a file name and location for the CSR and leave the File format to Base 64. Click Finish to save the file.

When you look at the Certificate Enrollment Requests in the MMC, you will see the CSR. This will automatically be removed once you import the certificate.

To verify your CSR, you can use a CSR checker on the Internet.

https://www.digicert.com/ssltools/view-csr/

Open your CSR file, copy the content to the webpage and click the ‘Check CSR’ button.

Check if all values are correct.

Now you can use the CSR to request an SSL SAN certificate. You can use your own (Microsoft) CA, or a commercial CA.

One thought on “Create a SAN CSR using MMC

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.