How to Add the SAN to the Certificate Request

 

 

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

net stop certsvc & net start certsvc

 

1. Using certreq.exe with a Configuration File

This method involves creating an .inf file to define the certificate request details.

Steps:

2. Using the Get-Certificate Cmdlet

This method works if you have access to an Active Directory Certificate Services (AD CS) CA.

Example Script:

Powershell

$SANs = @("DNS=example.com", "DNS=www.example.com", "DNS=api.example.com")
$CertRequest = @{
    DnsName = $SANs
    CertStoreLocation = "Cert:\LocalMachine\My"
    Template = "WebServer"  # Replace with your CA's template name
    CA = "CA_SERVER_NAME\CA_NAME"  # Replace with your CA details
}

Get-Certificate @CertRequest

This will request and install the SAN certificate directly from the specified CA.

3. Using a Custom PowerShell Script

You can also use a script to automate the process of generating a CSR with SANs. For example:

Powershell

$SANs = @("DNS=example.com", "DNS=www.example.com", "DNS=api.example.com")
$Subject = "CN=example.com"
$CertFile = "C:\Path\To\request.csr"

$Config = @"
[NewRequest]
Subject = "$Subject"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
RequestType = PKCS10
KeyUsage = 0xa0

[Extensions]
2.5.29.17 = "{text}"
_continue_ = "$(($SANs -join '&'))"
"@

Set-Content -Path "C:\Path\To\request.inf" -Value $Config
certreq -new "C:\Path\To\request.inf" $CertFile

This script dynamically generates the .inf file and creates the CSR.