Monday, September 1, 2014

How to enable Windows Server 2008 R2 to issue SAN certificates

The Certificate Authority in Windows 2008 R2 cannot issue Subject Alternative Name certificates in it’s default configuration.  Therefore if you include a SAN entry (like for Exchange) the CA will issue your certificate, but omit all the SAN entries

To allow your CA to issue SAN certificates you need to run the following from an administrative command prompt:

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc

This is not necessary on a Windows 2012 and above.