1. 技术文章
  2. add or create 'Subject Alternative Name' field to self-signed certificate using makecert

add or create 'Subject Alternative Name' field to self-signed certificate using makecert

倖福魔咒の 提交于 2019-12-17 18:43:06

问题


How can I create a certificate using makecert with a 'Subject Alternative Name' field ?

You can add some fields eg, 'Enhanced Key Usage' with the -eku option and I've tried the -san option but makecert doesn't like it.

This is a self-signed certificate so any method that uses IIS to create something to send off to a CA won't be appropriate.


回答1:


Makecert doesn't appear to support SANs so I created a certificate with SANs for use with IIS using OpenSSL. Check out my post about it.

http://andyarismendi.blogspot.com/2011/09/creating-certificates-with-sans-using.html




回答2:


An even easier way is to use the New-SelfSignedCertificate PowerShell commandlet, which includes a SAN by default. In a single command you can create the certificate and add it to the store.

New-SelfSignedCertificate -DnsName localhost -CertStoreLocation cert:\LocalMachine\My

Note that you need to run PowerShell as an administrator.




回答3:


Update

The certificate generated using the below makecert method does not work reliably in all browsers, because it does not actually generate a "Subject Alternative Name".

If you examine the certificate you will see that it does not actually have a Subject Alternative Name field, but instead specifies multiple CN in the Subject field.

E.g.

Subject:
CN = blah.foo.corp
CN = blah

Whereas a real "SAN" cert would have something like:

Subject Alternative Name:
DNS Name=blah.foo.corp
DNS Name=blah

To understand the differences and history between the "Subject" field with "Common Name" and the "Subject Alternative Name" field, I recommend reading The (soon to be) not-so Common Name.

So it appears that makecert cannot be used to generate a true "SAN" cert, and you will need to use other tools, such as openssl.

Original Answer:

At least with the version of makecert that comes with Visual Studio 2012, you can specify multiple subjects, simply by specifying a comma separated list -n "CN=domain1, CN=domain2"

E.g. (from the technet blog Makecert.exe SAN and Wildcard certificate)

makecert -r -pe -n "CN=*.fabrikam.com, CN=*.contoso.com" -b 01/01/2010 -e 01/01/2100 -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.3,1.3.6.1.5.5.7.3.4 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -len 2048


来源:https://stackoverflow.com/questions/6383054/add-or-create-subject-alternative-name-field-to-self-signed-certificate-using

标签
certificate
x509certificate
self-signed
makecert
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!