Q: How can I enable my Windows Server 2008 or Windows Server 2003 Certification Authority to issue SAN certificates?

A: Neither Windows Server 2008 nor Windows Server 2003 are configured to issue Subject Alternative Name (SAN) certificates by default. The default Certification Authority (CA) policy module that's configured during the installation of the CA keeps this functionality disabled. Therefore, if SAN entries are included in certificate requests, the CA will omit them from the issued certificate.

To change this behavior, you must run the following commands at a command prompt on the server that runs your CA service:

certutil -setreg policyEditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2net stop certsvcnet start certsvc

The first certutil command changes the CA policy to enable it to embed the SAN extension in the certificates it issues. The second and third command stop and then restart the CA service to effectively apply the CA configuration change.

Microsoft recommends that you never enable SAN extension support on your enterprise root or enterprise subordinate CAs. If you enable this functionality, it must be on a standalone CA that's dedicated to issuing SAN certificates; on a standalone CA, certificate requests are held in a pending state until they can be reviewed and approved by a certificate manager. For security reasons, you don't want one of your enterprise CAs to automatically issue SAN certificates. The use of user-defined SAN extensions can increase the risk of impersonation attacks because it allows users to specify arbitrary names in their certificate requests. For more information about this topic, take a look at the "Security best practices for allowing SANs in certificates" section in the Microsoft TechNet article "How to Request a Certificate With a Custom Subject Alternative Name."