Subject Alternative Names (SAN) certificates can save time and money because they allow you to use a single certificate for upto 5 domain names. They are quite common on servers that run Microsoft Exchange.
Cloud providers of Exchange Online, like Office 365, usually take care of their own certificates and now that Exchange on-prem has become less fashionable with the tech community, it is easy to forget about SAN Certificates, so we here is are the easy, but far from obvious steps you need to follow to create a SAN Certificate Request (aka, SAN CSR).
In the example below we are going to build a SAN cert request for the following domains:
How To Create a Multi-Domain SAN Cert Request:
PHASE 1 – How To Get Into the Certificate Repository
- Click START, type MMC.EXE and click on it
- File FILE > ADD/REMOVE SNAP-IN…
- Double click CERTIFICATE SERVICES
- Click COMPUTER ACCOUNT > NEXT button
- Leave on LOCAL COMPUTER and select FINISH
- Click OK on the ADD OR REMOVE SNAP-INS with CERTIFICATES (LOCAL COMPUTER)
PHASE 2 – How To Create the SAN Certificate Request
- Right click on PERSONAL and select ALL TASKS > ADVANCED OPERATIONS > CREATE A CUSTOM REQUEST
- Click NEXT on CERTIFICATE ENROLLMENT screen
- Click CUSTOM REQUEST > PROCEED WITHOUT ENROLLMENT POLICY and then NEXT
- On the CUSTOM REQUEST screen, change nothing and click NEXT
- On the CERTIFICATE INFORMATION screen, click the DETAILS expansion and the PROPERTIES button
- Click the SUBJECT tab:
- change the SUBJECT NAME: TYPE to COMMON NAME and enter the main URL
- change the ALTERNATIVE NAMES: TYPE to DNS enter the secondary URLs
- Click the PRIVATE KEY tab
- Expand KEY OPTIONS and set the KEY SIZE to 2048
- Click on MAKE PRIVATE KEY EXPORTABLE and then the OK button
- In the WHERE DO YOU WANT TO SAVE THE OFFLINE REQUEST, click BROWSE or just type a name and click FINISH
PHASE 3 – How To Check Your SAN Certificate Request Before Buying?
Before you buy your cert, you may want to validate that it is what you think it is. There are several CSR Decoders available but I use (no, they have not paid us for the link and we have no relationship to them):
Paste the content of your CSR into the large field and submit it (see the screenshot to the right).