How to create self-signed SAN certificate in IIS?

Solution 1:

Unfortunately, IIS manager cannot create certificates or requests with SAN extension. You have to use something else. For example, PowerShell or certreq.exe tool (both are included in the box).

PowerShell

Minimum required parameters

New-SelfsignedCertificate `
    -DnsName "mysite.com","www.mysite.com" `
    -CertStoreLocation cert:\localmachine\my

More detailed parameters

New-SelfsignedCertificate -Subject "CN=www.mysite.com" `
    -DnsName "mysite.com","www.mysite.com" `
    -EKU "Server Authentication" `
    -KeySpec "KeyExchange" ` 
    -KeyUsage "DigitalSignature", "KeyEncipherment" `
    -FriendlyName "My web site"
    -NotAfter $([datetime]::now.AddYears(1)) `
    -CertStoreLocation cert:\localmachine\my

CertReq.exe

Prepare INF template file (with .inf file extension) with the following contents:

[NewRequest]
Subject = "CN=www.mysite.com"
KeyLength = 2048
KeyAlgorithm = RSA
ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider"
MachineKeySet = true
KeySpec = 1
KeyUsage = 0xa0
RequestType = Cert
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; server authentication
[Extensions] 
2.5.29.17 = "{text}" 
_continue_ = "dns=mysite.com&" 
_continue_ = "dns=www.mysite.com"

And then execute the following command against this INF file:

certreq -new path\myinftemplate.inf

Solution 2:

What version of Windows? If it is a newer version of Windows, it would probably be easier to just open up powershell and use the New-SelfSignedCertificate commandlet. You can use the -DnsName to provide a list of all the names you want in your SAN.