In a clean lab environment I installed 2 Windows Server 2019 servers.
On the first server I installed:
- Active Directory Domain Services
- Active Directory Certificate Services with:
- Certification Authority
- Certification authority Web enrollment
I joined the second server to the same AD domain and installed
From IIS I attempted to get a certificate using either:
- Create domain certificate
- Create certificate request
I attempted associating either certificates to the Default Web site but I go on getting the same error:


that means:

This server couldn't prove that it's myserver.mydomain.local; its security certificate does not specify Subject Alternative Names.
This may be caused by a misconfiguration or an attacker intercepting your connection.

Am I missing any relevant step?
How can I solve the problem?

4 Replies
Test environment, I assume VMs. Even in test you should not have anything on DC as apart from AD (plain & simple)
Error means exactly this, the DNS is incorrect (for the website), and you also need to have DNS in SAN

@Sebastian Cerazy 

Many thanks for your message.

On my DC I have only AD and CA, and, as you say, the certificate is missing a SAN.

In the meantime I made some further investigation and I found a complete, working solution on page

I hope it can be useful for other people.

Many thanks, anyway


AD CA should ALWAYS be on a separate server
You need to setup correct template for webserver, where the fields are filled & not auto created
"Proceed without enrollment policy" is not correct setup (it will work, just not the right way to do it)