add or create 'Subject Alternative Name' field to self-signed certificate using makecert

Question

How can I create a certificate using makecert with a \'Subject Alternative Name\' field ?

Answer 1

Update

The certificate generated using the below makecert method does not work reliably in all browsers, because it does not actually generate a "Subject Alternative Name".

If you examine the certificate you will see that it does not actually have a Subject Alternative Name field, but instead specifies multiple CN in the Subject field.

E.g.

Subject:
CN = blah.foo.corp
CN = blah

Whereas a real "SAN" cert would have something like:

Subject Alternative Name:
DNS Name=blah.foo.corp
DNS Name=blah

To understand the differences and history between the "Subject" field with "Common Name" and the "Subject Alternative Name" field, I recommend reading The (soon to be) not-so Common Name.

So it appears that makecert cannot be used to generate a true "SAN" cert, and you will need to use other tools, such as openssl.

---

Original Answer:

At least with the version of makecert that comes with Visual Studio 2012, you can specify multiple subjects, simply by specifying a comma separated list -n "CN=domain1, CN=domain2"

E.g. (from the technet blog Makecert.exe SAN and Wildcard certificate)

makecert -r -pe -n "CN=*.fabrikam.com, CN=*.contoso.com" -b 01/01/2010 -e 01/01/2100 -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.3,1.3.6.1.5.5.7.3.4 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -len 2048