How to create a certificate with SAN and specific encryption in Windows?

windows ssl-certificate openssl iis

I want to create a certificate with:

  1. Subject Alternative Name
  2. SHA256 as hash algorithm

On a Windows 10 Ent machine, both the above options are not available by default when creating a certificate. Option for SAN doesn't exist and the default cert is encrypted with SHA1.

How do I enable selection of these options in Windows?


Solution 1:

In the end, I just used openssl (downloaded binary for windows) with a config file.

The first command that would create the CSR would be:

openssl req -out sslcert.csr -newkey rsa:2048 -nodes -keyout private.key -config my.cnf

where:

sslcert.csr would be the CSR to send to client 
private.key would be the key you want to keep it with you and not share. will come handy when the client gets back to you with the certificate response 
my.cnf would be the file that allows you to add SAN values, hash alogrithm etc.

a sample my.cnf could be where the values would be replaced by your own requirement.

 [ req ] 
 default_bits       = 2048 distinguished_name =
 req_distinguished_name req_extensions     = req_ext
 
 prompt         = no
 
 [ req_distinguished_name ] 
 countryName                 = value
 stateOrProvinceName         = value 
 localityName               = value
 organizationName           = value 
 organizationalUnitName     = value
 commonName                 = value

 [ req_ext ] 
 subjectAltName = @alt_names 

 [alt_names] DNS.1 = value

Note: its a good idea to check your csr after its created and before sending it to the client to ensure all values are correct. just google 'check csr' and you can use any online tools to verify the values are correct.

When the client came back with the completed CSR, you'd run the following to complete the certificate.:

openssl pkcs12 -export -name "clientcert" -out yourdomain.pfx -inkey private.key -in yourdomain.crt

where:

clientcert would be the friendly name for the certifiate
yourdomain.pfx would be the certificate for the domain
yourdomain.crt would be the response client gave you

You'll be asked to create a password, please do (good security) and the certificate will be in pfx format. So with the password and the pfx, you can take it to your app to install.

Related

Occasionally connected hybrid Active Directory
Gunicorn does not repondes more than 6 requests at a time
AddType application/x-httpd-php .html stopped working
How to fix Win2003 Task Scheduler Error 0x8007000d: The data is invalid after re-joining domain?
Can kubernetes move pods that begin to have interfering workloads?
How to upgrade a single package with ansible?
Ideal Server Deployment for Windows Server 2019 Active Directory, File Server, and SQL Server
How to delete files after EXT4-fs error: Directory hole found
check what 32-bit packages are installed on a 64-bit server
How to create CIFS docker volume with username, password, uid, and gid
Is it normal for (fake) host in HTTP request header to recieve requests?
How to not propagate private IP address?