The PowerShell script discussed in this post uses certreq.exe to generate certificate signing request (CSR) files with a maintained Subject Alternative Name (SAN) field.

Ruben Zimmermann

Ruben is an infrastructure specialist who specializes in Active Directory, public key infrastructure (PKI), and System Center Operations Manager. He automates in VBS, PowerShell and C#. Ruben lives in Suzhou, China, and you can follow him on Twitter @Ruben8Z.

To avoid transmitting credentials in clear text, SSL/TLS should protect administrative web frontends. The primary purpose of certificates is proving authenticity. Certificate authorities (CAs) only issue certificates after proving the requester's information is correct and legit.

Browser showing certificate naming mismatch

Browser showing certificate naming mismatch

CSR files via Internet Information Services (IIS) Microsoft Management Console (MMC) only provide the common name (CN) attribute as the name holder. The problem is that Chrome since version 58 does not support the CN attribute anymore. It requires the name in a correctly maintained Subject Alternative Name (SAN) field. By using the SAN section, it is possible to add multiple alias names to a certificate. My PowerShell script simplifies CSR file creation with alias name support.

Chrome's error message when connecting to a site with SSL certificate that has no maintained SAN field

Chrome's error message when connecting to a site with SSL certificate that has no maintained SAN field

Windows maintains a storage of trusted root certificate authorities. As a result, it automatically trusts the identity that presents a certificate coming from a trusted root certificate authority. In a subsequent step, it will check whether the CN of the certificate matches the name of the accessed resource. If not, error messages appear in the Internet Explorer.

Creating a certificate with certreq.exe ^

Besides the wizard within IIS, certreq.exe can create CSR files. This is a built-in Windows command-line utility. To generate a new CSR file, use the following syntax:

The INF file needs to store detailed information required to generate the file. Save the following content as plain text to use it with certreq.exe:

The table below explains the content of the INF file for better understanding:

ParameterValue (example)Meaning
[Version]
Signature$Windows NT$Indicates the operating systems for which this INF is valid—on Windows it must be $Windows NT$
[NewRequest]
SubjectCN=ServerName.Nwtraders.msftCN used for the fully qualified domain name (FQDN) of the individual resource
KeySpec1Indicates use of the certificate for encryption and signature
KeyLength2048Length of public and private keys—2048 bits is a common value
ExportableFalseDisallows exporting the private key—someone can only use the certificate on the machine where the request is performed
MachineKeySettrueIndicates it's a computer certificate, not suitable for user-related scenarios
ProviderNameMicrosoft RSA SChannel Cryptographic ProviderSpecifies the encryption algorithm
RequestTypePKCS10Determines the format of the request file type sent to the CA
KeyUsage0xa0Further restricts of the certificate—0xa0 stands for digital signature and key encipherment
[EnhancedKeyUsageExtension]
OID1.3.6.1.5.5.7.3.1Server authentication is the intended use of this certificate.
[Extensions]
2.5.29.17"{text}"If the client OS is Windows Server 2008 and higher, we can include SANs in the extensions section by using the text format below
_continue_"dns=servername.nwtraders.msft&"

 

Must be the same as the CN in the subject parameter
_continue_"dns=servername&"e.g., NetbiosName
_continue_"dns=serveralias.nwtraders.msft&"e.g., Alias as FQDN
_continue_"dns=serveralias&"e.g., Alias as NetbiosName

The PowerShell script ^

The Powershell script New-CertReqWithAlias.ps1 uses certreq.exe to generate CSR files with a maintained SAN field. The SAN field may contain alias names as well. I've explained how the script works in the comments.

Example using the script ^

Open PowerShell with elevated rights on the computer you require the certificate for. The command below shows how you can use the script:

The command creates a CSR file in the folder C:\Temp for the FQDN servername.nwtraders.msft with the aliases servername, serveralias.nwtraders.msft, and serveralias. Use Notepad to open the request file:

Paste the file content into the CA's certificate enrollment page, and issue the certificate.

Pasting the file content into the CA web enrollment page

Pasting the file content into the CA web enrollment page

The resulting certificate will look as follows:

Certificate general page

Certificate general page

Certificate details page showing specified aliases

Certificate details page showing specified aliases

Further reading ^

This Microsoft document explains certreq.exe and all you need to know in greater detail, and here is more on Chrome's support for CN matching in certificates.

Join the 4sysops PowerShell group!

Your question was not answered? Ask in the forum!

2+

Users who have LIKED this post:

  • avatar
Share
9 Comments
  1. Nathan 10 months ago

    Thank you so much for sharing this.

    0

  2. Zack 9 months ago

    Hello Ruben. This script is awesome and exactly what I was looking for - I'm used to making custom requests through the GUI and it just gets tiresome. However, I'm running in to one issue that I was hoping you may know a quick fix for.

    When running the PS code going by the suggested example:

    .\New-CertReqWithAlias.ps1 -FQDN workstation.domain.local -Aliases workstation, zackssys.domain.local, zackssys, 192.168.1.5 -DestinationFilePath C:\Temp

    The resulting cert has something like this for the SAN entry:

    DNS Name=workstation.domain.local
    DNS Name=workstation zackssys.domain.local zackssys 192.168.1.5

    as opposed to what I would expect:

    DNS Name=workstation.domain.local
    DNS Name=workstation
    DNS Name=zackssys.domain.local
    DNS Name=zackssys
    DNS Name=192.168.1.5

    Any idea what I may have botched?

    Thanks!

     

    0

    • Luc Fullenwarth 9 months ago

      @Zack

      Did you try putting your aliases between quotes?

      0

  3. Trevor 8 months ago

    @Zack

    I was having the same issue.  Finally figured out that I had to put the arguments passed to the Aliases like so:

    -Aliases "workstation,zackssys.domain.local,zackssys,192.168.1.5"

    Note the addition of the double quotes and the removal of the spaces.

    2+

    Users who have LIKED this comment:

    • avatar
    • avatar
    • Author
      Ruben Zimmermann 8 months ago

      Trevor, many thanks for pointing this out! 🙂

      I updated the code in the article.

      0

  4. Jeremiah 2 weeks ago

    Hello Ruben. Could this same script be applied to an appliance with an embedded web server (i.e. printer or other IoT device)?  Often times customers purchase equipment from vendors that have web server functionality enabled and the default certificate does not comply company policy.  I'm looking for a better way to generate a CSR for appliances that meet this criteria and your script seems like it could fit the bill.

    0

  5. David Figueroa 2 weeks ago

    You can absolutely create the certificate request with the script.  The main thing is to mark the key as exportable, so that when you generate the cert from the requesting machine, you can export it as a PFX with the key.  Your devices need to be able to import that PFX though.

     

    David F. 

    0

  6. Zachary 5 days ago

    Brilliant and oh so helpful!  Thank you!

    One question:  When using the GUI, one can add a custom permission for the Private Key.  While I can do this after the key is installed, is there a way to add READ permission for "mydomain\NETWORK SERVICE" account in the request?

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account