Windows server SAN attribute in Web request

I always forget on how to fix this, so I decided to write this down. On a default Windows CA installation, the SAN attribute will not be added to the certificate if the request is made via the webinterface (https://ca.domain.local/certsrv).

The fix for this issue is quite simple. It requires 1 command in an administrative prompt (cmd or powershell):

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

After executing this command, restart the certificate service:

net stop certsvc
net start certsvc

All done! Now the SAN attributes will be added to the certificates.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.