Tuesday, 31 May 2011

Issue a SAN Certificate from a Private Certificate Authority

Without modification the Certificate Authority service built in to Windows does not support SAN certificates which are required for correct operation of Exchange 2007 and Exchange 2010. To support them you need to add an additional flag called EDITF_ATTRIBUTESUBJECTALTNAME2.

To check if the flag already exists on your Certificate Authority open a command prompt and run:
certutil -getreg policy\EditFlags

To add the additional flag run:
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

Finally you will need to restart the Active Directory Certificate Services service.

No comments:

Post a Comment

Correction, question or suggestion, it's all welcome here.