Server Alternate Name Requests
Server Alternate Names are a means to embed more than one host name into a certificate. This is particularly useful for Exchange systems which have multiple Client Access Servers and alternative names for the Outlook Web Access page.
As with all deployments you should make sure that you know what your host names are to be before you deploy and apply for your certificate and stick to them.
Generate with IIS
Currently there is no means of adding the Subject Alternate Names with the GUI. You can create them with the certreq tool or by using the Windows Powershell.
More information will be posted when it is available.
First get a copy of Openssl for Windows. The downloads are available from http://www.slproweb.com/products/Win32OpenSSL.html. You will need either the 32 or 64 bit version depending on your system, but make sure you get the full version, not the lite. You should also add the Visual C++ redistributables if they are not already on your system.
When installing make sure you choose to install to the Openssl\bin folder, not the Windows System folder (You will be offered the choice with the full version).
Once installed do a Windows Update check to check for updates for the C++ redistributables.
Run an Administrative command shell and navigate to the install binary folder, typically C:\Openssl\bin.
Enter in the following command to generate a key
- opensll genrsa -des 2048 > key.pem
You will be promted for a passphrase for your key file, do not loose this.
NOTE: A 2048 bit key length will be suitable in most cases
Config File Example
Use this configuration file as a template for your own config file.
You would need to change the following for your own needs;
For additional names just add an extra incremental DNS.X line
Modify your text file and save to the C:Openssl\bin folder
Create the Request
To generate the certificate request enter the following from the Openssl\bin folder
- openssl req -new -config myservercertconfig.txt -key key.pem -out myservernamecertrequest.csr
Just make sure that myservercertconfig.txt is whatever you names the config file, that key.pem is the name of the keyfile you created and that myservernamecertrequest.csr is a memorable name for your request output file.
When the command runs you will not be prompted for any input and the request will be in the.csr file.
Submit your Request
Submit your request at http://www.cam.ac.uk/cs/tlscerts/forms/request.html.
Select the following options
- New certificate
- Microsoft IIS 7.x and later
- click Next
- Paste the contents of your .csr file into the Certificate signing request field and select a duration
- click Next
- Check the contents of your CSR
- Enter in contact details (use a group mail rather than personal for this)
- click Next
Then wait for your certificate.
Once you have recieved your certificate copy this to your server where you made the request into the Openssl\bin folder.
You need to conver the file from a .crt to a .PEM, this is a two stage process. Open and Administrative Command shell and enter in the following commands
- openssl x509 -in mycert.crt -out input.der -outform DER
- openssl x509 -in input.der -inform DER -out output.pem -outform PEM 
Where mycert.crt is the name of your .crt
Where output.pem is the name of the .pem file you want to create
You then need to import the .pem file, using the keyfile you generated at the start of the process.
- openssl pkcs12 -export -in (pemfile) -inkey (keyfile name) -out (pfx file name) -name (name for the certificate)
Where (pemfile) is the output.pem file you created in the previous step, keyfile name is the keyfile you generated at the start of the process, (pfx file name) is the name of a .pfx file you are about to create and name for the certificate is the display name for the certificate onces installed into Exchange or IIS.
You will be prompted for the passphrase for your keyfile and you will have to create and confirm an export passphrase.
You will now have a .pfx file in your \openssl\bin folder.
Install the certificate into Exchange.
- Open the Exchange Management console and select Import Exchange Certificate.
- Select the servers you want to install the certificate to.