Creating and submitting a CSR with SAN’s using the Microsoft certificate request tool

Cerating SSL certificates for the management interfaces on an IronPort C360.

First, make sure your CA is configured to accept SAN attributes in a request. To do so, login to your CA and do the following:

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc

Browse to http://<servername>/certsrv and fill out the form, accepting most defaults. Change the following:

Check the box for “Mark keys as exportable”

In the attributes box, add the SAN attributes in the following format:

san:dns=corpdc1.fabrikam.com&dns=ldap.fabrikam.com

Submit and install the certificate. Find it, and export it to a .PFX file. Assign a password at the time of export. Then, import the PFX into the IronPort server, and assign that certificate to the management interface.