Setting Up a CA Template with SAN and Custom Settings

100

Article

Step 1. Create a New Certificate Template.

Open Server Manager on the CA server and launch Certificate Authority.
Expand your CA server node and select Certificate Templates.
Right-click on Certificate Templates and choose Manage.
In the Certificate Templates Console, locate the Web Server template, right-click it, and choose Duplicate Template.
A new window will pop up titled Properties of New Template. Configure the following:

1. Compatibility Tab

Certification Authority: Select the latest version available.
Certificate Recipient: Choose the version that matches your environment.

2. General Tab

Template Display Name: Provide a clear, unique name.
Template Name: Set a suitable template name.
Validity Period: Configure according to your organization’s policy (default is 2 years).
If your CA is Enterprise and domain-joined, check "Publish certificate in Active Directory."

3. Request Handling Tab

Enable "Allow private key to be exported."

4. Cryptography Tab

Provider Category: Key Storage Provider
Algorithm Name: RSA
Minimum Key Size: 2048
Request Hash: SHA256

5. Extensions Tab

Select Application Policies, click Edit, and add:
- Client Authentication
- Smart Card Logon (if required)

6. Security Tab

Add specific users or groups if special permissions are needed beyond Domain Admins.
Add the server names (including the application server) and assign the appropriate permissions. If the application servers are used to generate certificates, grant the necessary permissions to the CA server.

7. Subject Name Tab

Select "Supply in the request."

8. Click Apply and then OK to save the template

Step 2. Publish the New Template.

In the Certificate Templates node, right-click and select New → Certificate Template to Issue.
Select the template you just created and click OK.
You will now see the new template listed under the issued templates.

Generate an SSL Certificate Without CSR and Add Alternative Names

On the CA server or a domain-joined application server, run MMC.exe as Administrator.
Add the Certificates snap-in for the computer account.
Expand Certificates → Personal → Certificates.
Right-click Personal, go to All Tasks → Request New Certificate.
The Certificate Enrollment Wizard will open:
- Click Next → Next again → Select the new template (created earlier).
- If a warning icon appears, click on it to configure additional fields.
Under the Subject Tab:
- Add a Subject Name as required.
- Under Alternative Name, add the following (as applicable):
  - DNS: Add the FQDN of the server and application (e.g., server.domain.com, app.domain.com).
  - IP Address: Add the IP of the application server.
  - URL: Add the application URL (e.g., https://pba.pb.dash/*).
In the General Tab:
- Set a Friendly Name for easy identification.
Leave other tabs as default, then click Apply and OK.
Click Enroll to complete the certificate request.

Exporting and Installing the Certificate on Another Server (If Needed)

If the certificate was created on a different server than the application server, follow these steps:

Right-click the certificate → All Tasks → Export.
In the Export Wizard:
- Click Next.
- Select Yes, export the private key.
- Choose the .PFX format, then click Next.
- Set a password to protect the private key.
- Choose a save location, and click Finish to export the certificate.
On the target server, import the PFX certificate via MMC or IIS.

Assign an SSL Certificate in IIS

Open IIS Manager.
Navigate to Sites and select the appropriate site.
On the right panel, click Bindings.
Edit or add a binding for HTTPS.
In the SSL certificate dropdown, select the installed/enrolled certificate.
Click OK to apply the changes.

Conclusion

By following these steps, you can securely issue and apply an SSL certificate with custom subject names and SAN entries using your internal CA. If preferred, these additional settings can also be included in a CSR for manual submission.