If you want to create a Certificate Signing Request (CSR) for a normal or Subject Alternative Names (SAN) certificate, for example, for a website, you can use Certreq.exe to create such a request.
Open Notepad or any other text editor and copy the following information to it.
[NewRequest] Subject = "CN=<Main FQDN>, OU=<Organizational Unit>, O=<Organization>, L=<Location>, S=<State>, C=<Country>" Exportable = <TRUE/FALSE> KeySpec = 1 KeyLength = <2048/4096> HashAlgorithm = SHA384 MachineKeySet = TRUE SMIME = FALSE PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE RequestType = PKCS10 KeyUsage = 0xa0 ProviderName = "Microsoft RSA SChannel Cryptographic Provider" FriendlyName = "<friendly description of the certificate>" [EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.1 ; Server Authentication OID=1.3.6.1.5.5.7.3.2 ; Client Authentication [RequestAttributes] CertificateTemplate = WebServer ;Use section below if Subject Alternate Names (SAN's) are needed, otherwise delete this line and everything below. [Extensions] 2.5.29.17 = "{text}" continue = "dns=<Main FQDN>&" continue = "dns=<1st Subject Alternate Name FQDN>&"
Replace all the <> blocks with the required values so you will have a text file like below. The example below could be used for an Exchange server that needs the FQDN’s ‘mail.onkelx.nl’ and ‘autodiscover.onkelx.nl’ and a keylength of 2048. The certificate that will be created based on this CSR will be exportable because the value for the ‘Exportable’ option is set to TRUE.
If several FQDN’s are needed, also include the common name (CN=mail.onkelx.nl) in the SAN section (dns=mail.onkelx.nl&). This is required because if an SSL certificate has a Subject Alternative Name (SAN), then SSL clients are supposed to ignore the Common Name value and seek a match in the SAN list.
[NewRequest] Subject = "CN=mail.onkelx.nl, OU=IT Department, O=OnkelX, L=Vleuten, S=Utrecht, C=NL" Exportable = TRUE KeySpec = 1 KeyLength = 2048 HashAlgorithm = SHA384 MachineKeySet = TRUE SMIME = FALSE PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE RequestType = PKCS10 KeyUsage = 0xa0 ProviderName = "Microsoft RSA SChannel Cryptographic Provider" FriendlyName = "<friendly description of the certificate>" [EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.1 ; Server Authentication OID=1.3.6.1.5.5.7.3.2 ; Client Authentication [RequestAttributes] CertificateTemplate = WebServer ;Use section below if Subject Alternate Names (SAN's) are needed, otherwise delete this line and everything below. [Extensions] 2.5.29.17 = "{text}" continue = "dns=mail.onkelx.nl&" continue = "dns=autodiscover.onkelx.nl&"
Save this text to a file named ‘template.inf’. Open a Command Prompt as an Administrator and go to the folder where you saved the template file.
Use the following command to create a CSR file named ‘mail_onkelx_nl.csr’ based on the information from the template file. The file is saved in the current folder.
certreq -new template.inf mail_onkelx_nl.csr
When the CSR file has been created and saved, you can open the CSR file with a text editor. The first line should be ‘—–BEGIN NEW CERTIFICATE REQUEST—–‘ and the last line should be ‘—–END NEW CERTIFICATE REQUEST—–‘.
To verify the CSR file, you can use a CSR checker on the Internet.
https://www.digicert.com/ssltools/view-csr/
Open the CSR file, copy the content to the webpage and click the ‘Check CSR’ button.
Check if all values are correct.
Now you can use the CSR to request an SSL SAN certificate. You can use your own (Microsoft) CA, or a commercial CA.
If you want to create a (SAN) CSR using the Microsoft Management Console (MMC), check the following article.
When i am trying to generate the csr with multiple DNS using below confirm data
[Version]
Signature= “$Windows NT$”
[NewRequest]
Subject = “CN=server.com, C=BE, ST=Brussels, L=Brussels, OU=company, O=company, E=xyz@gmail.com”
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = “Microsoft RSA SChannel Cryptographic Provider”
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
FriendlyName = “friendlyname.com”
HashAlgorithm = “SHA256”
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
OID=1.3.6.1.5.5.7.3.2
[Extensions]
2.5.29.17 = “{text}”
continue = “DNS=dns1.com”
continue = “DNS=dns2.com”
I am getting the error saying
The parameter is incorrect [Extensions] 2.5.29.17 ={text}
Can you please help me to fix the issue
In the Extensions part, you need to use underscores:
_continue_ = “dns=dns1.com”
_continue_ = “dns=dns2.com”