certificatex509certificateself-signedmakecert

add or create 'Subject Alternative Name' field to self-signed certificate using makecert


How can I create a certificate using makecert with a 'Subject Alternative Name' field ?

enter image description here

You can add some fields eg, 'Enhanced Key Usage' with the -eku option and I've tried the -san option but makecert doesn't like it.

This is a self-signed certificate so any method that uses IIS to create something to send off to a CA won't be appropriate.


Solution

  • Makecert doesn't appear to support SANs so I created a certificate with SANs for use with IIS using OpenSSL. Check out my blog post about it:

    IIS 7 provides some easy to use wizards to create SSL certificates, however not very powerful ones. What I needed to do was to create SSL certificates that included a x.509 V3 extension, namely subject alternative names, a.k.a SANs. What SANs do is allow the website certificate to validate incoming requests by more than one URL domain name. This is really important when the web server is running web services such as WCF services and when other web services connect to them over SSL connections as with service oriented architectures. Unless special code is added to the web services to override the default SSL validation handler routines, the common name (CN) of the certificate MUST match the incoming request URL domain. So if the request was made using an FQDN, the certificate must have the FQDN as a CN or a SAN, a IP address or just a hostname will cause an SSL validation error and the connection will fail.

    SANs to the rescue… SANs support, among other things, DNS names and IP addresses. So by creating the certificate with SANs of the server FQDN and IP address, it increases the ways that other web services can connect.

    There are a number of tools that can generate certificates: makecert.exe, keytool.exe (java), selfssl.exe and openssl.exe. In addition, starting with Windows Vista and Server 2008 Microsoft added the CertEnroll API which can also create certificates programmatically either through COM interfaces.

    OpenSSL ended up doing exactly what I needed it to do. The process was fairly straight forward.

    1. Construct an OpenSSL config file.

    [req] distinguished_name = req_distinguished_name x509_extensions = v3_req prompt = no [req_distinguished_name] C = US ST = VA L = Somewhere O = MyOrg OU = MyOU CN = MyServerName [v3_req] keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = MyServerName DNS.2 = 10.0.1.34 IP.1 = 10.0.1.34 IP.2 = 192.167.20.1

    1. Create x509 request with OpenSSL

    openssl.exe req -x509 -nodes -days 730 -newkey rsa:2048 -keyout C:\cert.pem -out C:\cert.pem -config C:\PathToConfigFileAbove.txt

    1. Create a PFX containing the keypair

    openssl.exe pkcs12 -export -out C:\cert.pfx -in C:\cert.pem -name "My Cert" -passout pass:mypassword

    1. Import the PFX into IIS using the import link in the server certificates area.

    2. Bind the certificate to the IIS websites.

    And viola, we know have a SSL certificate for IIS with SANs so we can connect using multiple domain names without certificate validation errors.

    Source: Creating certificates with SANs using OpenSSL by Andy Arismeti, Thursday, September 1, 2011