To enable SAN certificate issuing on the CA you can follow below steps:

1. Open command prompt with elevated privilleges or an user credentials that have permissions to manage CAs.

2. Run the command certutil -setreg policyEditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

3. This command changes the values of EditFlags and adds SubjectAltName in registry located at SYSTEMCurrentControlSetServicesCertSvcConfiguration<Server Name>PolicyModulesC
ertificateAuthority_MicrosoftDefault.Policy

and the output looks like below: (Please note that the values on your CA may be different than what they look like in following example)

C:>certutil -setreg policyEditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
SYSTEMCurrentControlSetServicesCertSvcConfiguration<Server Name>PolicyModulesC
ertificateAuthority_MicrosoftDefault.PolicyEditFlags:

Old Value:
EditFlags REG_DWORD = 11014e (1114446)
EDITF_REQUESTEXTENSIONLIST — 2
EDITF_DISABLEEXTENSIONLIST — 4
EDITF_ADDOLDKEYUSAGE — 8
EDITF_BASICCONSTRAINTSCRITICAL — 40 (64)
EDITF_ENABLEAKIKEYID — 100 (256)
EDITF_ENABLEDEFAULTSMIME — 10000 (65536)
EDITF_ENABLECHASECLIENTDC — 100000 (1048576)

New Value:
EditFlags REG_DWORD = 15014e (1376590)
EDITF_REQUESTEXTENSIONLIST — 2
EDITF_DISABLEEXTENSIONLIST — 4
EDITF_ADDOLDKEYUSAGE — 8
EDITF_BASICCONSTRAINTSCRITICAL — 40 (64)
EDITF_ENABLEAKIKEYID — 100 (256)
EDITF_ENABLEDEFAULTSMIME — 10000 (65536)
EDITF_ATTRIBUTESUBJECTALTNAME2 — 40000 (262144)
EDITF_ENABLECHASECLIENTDC — 100000 (1048576)
CertUtil: -setreg command completed successfully.
The CertSvc service may need to be restarted for changes to take effect.

4. Restart certification services using services manager snap in or command prompt.

5. Once the service is restarted you can request a certificate with SAN extension using web enrollment application.

Advertisements