I'm really pleased to be able to announce a recent publication from the Certificate Services documentation team that will help our customers running Configuration Manager in native mode: How to Request a Certificate With a Custom Subject Alternative Name .
There are a couple of native mode scenarios that require PKI certificates with more than one server name in the certificate, which is when you need to specify a Subject Alternative Name (SAN) value when you're using Certificate Services with Windows Server 2003 or Windows Server 2008:
Until recently, we've been directing customers to KB 931351 How to add a Subject Alternative Name to a secure LDAP certificate as the best documentation to help you deploy certificates with more than one name in the certificate. However, this KB was written for domain controllers so that they could support secure LDAP, and using Windows Server 2003 CA with SAN attributes. We've been working with the Certificate Services documentation team and passing on your feedback that this document didn't include Windows Server 2008 CA or the Certificate Enrollment wizard, and the instructions to specify the FQDN of a domain controller were confusing (not relevant for Configuration Manager scenarios). Additionally, this document didn't explain how SAN extensions could be used as a safer alternative to SAN attributes, and it didn't include any security best practices for production environments (such as the risk of impersonation when enabling SAN attributes, and the recommendation to use manual approval and the separation of duties with role-based administration).
This new documentation addresses all these things and includes a script (MakeSanExt.vbs) to request certificates with a base64-encoded SAN extension.
Our April documentation updates will reference this new documentation where it used to reference KB 931351 - for example, the topic Deploying the Web Server Certificates to Site System Servers .
-- Carol Bailey
This posting is provided "AS IS" with no warranties and confers no rights.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.