# Certificates # How to Add the SAN to the Certificate Request ### **certutil -setreg policy\\EditFlags +EDITF\_ATTRIBUTESUBJECTALTNAME2** **net stop certsvc & net start certsvc** ### ### **1. Using `certreq.exe` with a Configuration File** This method involves creating an `.inf` file to define the certificate request details. #### **Steps:**
1. Create a configuration file (e.g., `request.inf`) with the following content: ##### Plaintext
Copy code
```plaintext [NewRequest] Subject = "CN=example.com" KeySpec = 1 KeyLength = 2048 Exportable = TRUE MachineKeySet = TRUE SMIME = FALSE PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0 [Extensions] 2.5.29.17 = "{text}" _continue_ = "DNS=example.com&DNS=www.example.com&DNS=api.example.com" ``` 2. Run the following PowerShell command: ##### Powershell
Copy code
```powershell certreq -new request.inf request.csr ``` This generates a Certificate Signing Request (CSR) file (`request.csr`). 3. Submit the CSR to your Certificate Authority (CA) to obtain the certificate.
### **2. Using the `Get-Certificate` Cmdlet** This method works if you have access to an Active Directory Certificate Services (AD CS) CA. #### **Example Script:** ##### Powershell
Copy code
```powershell $SANs = @("DNS=example.com", "DNS=www.example.com", "DNS=api.example.com") $CertRequest = @{ DnsName = $SANs CertStoreLocation = "Cert:\LocalMachine\My" Template = "WebServer" # Replace with your CA's template name CA = "CA_SERVER_NAME\CA_NAME" # Replace with your CA details } Get-Certificate @CertRequest ``` This will request and install the SAN certificate directly from the specified CA. ### **3. Using a Custom PowerShell Script** You can also use a script to automate the process of generating a CSR with SANs. For example: ##### Powershell
Copy code
```powershell $SANs = @("DNS=example.com", "DNS=www.example.com", "DNS=api.example.com") $Subject = "CN=example.com" $CertFile = "C:\Path\To\request.csr" $Config = @" [NewRequest] Subject = "$Subject" KeySpec = 1 KeyLength = 2048 Exportable = TRUE MachineKeySet = TRUE RequestType = PKCS10 KeyUsage = 0xa0 [Extensions] 2.5.29.17 = "{text}" _continue_ = "$(($SANs -join '&'))" "@ Set-Content -Path "C:\Path\To\request.inf" -Value $Config certreq -new "C:\Path\To\request.inf" $CertFile ``` This script dynamically generates the `.inf` file and creates the CSR.