The Solution

First off if you don’t have OpenSSL you’ll need to get a copy.

If you’re using windows and are looking for convenience then I would suggest you download the SSL install provided here

If you’re using Linux, then you more than likely have it already or if not I’m sure you know how to get it.

This guide is based on a Windows install but should translate to any OS.

Step 1. Add one or more SANs into your CSR with OpenSSL

Browse to C:\OpenSSL-Win32\bin

Copy the default openssl.cfg file to a mysettings.cfg file

Edit the mysettings.cfg file and add these additional required parameters


req_extensions = v3_req (this option is commented out so you can simply remove the #)

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

subjectAltName = @alt_names


DNS.1 = server1.example.local

DNS.2 = mail.example.local

DNS.3 = www.example.local

DNS.4 = www.sub.example.local

DNS.5 = mx.example.local

DNS.6 = support.example.local

Add the alternate names to the list using the format above so if your certificate CN is server1.example.local then add that as shown above.

Save the config file.

Step 2. Generate the CSR using OpenSSL

Open a command prompt in C:\OpenSSL-Win32\bin

Run the following command to generate the CSR and keyfiles.

openssl req -new -newkey rsa:2048 -nodes -keyout servername.key -subj "/C=GB/ST=State/L=City/O=Organisation/OU=OU/CN=server1.example.local/" -out servername.csr -config mysettings.cfg

This will generate a yourserverhsotname.key and yourservername.csr in the bin directory.

Keep the command prompt open.

Step 3. Check multiples SANs in your CSR using OpenSSL

In the command prompt window run the following command to display an output of the CSR which will display the SAN's.

openssl req -text -noout -in newserverreq.csr

Step 4. Submit the CSR to your Microsoft CA

Copy the servername.csr file to you CA server, in this example its been placed in the directory c:\csr\

Open a command prompt and run the below command.

certreq -submit -attrib "CertificateTemplate:WebServer" c:\csr\servername.csr

This assumes you have the default Web Server template active on your CA, if you have a customised template the name can be changed.

Select your certificate authority and hit OK, you'll then be prompted to save the .cer file.

Copy this file back to your OpenSSL bin folder.

Step 5. Conver the CER file to PFX

Run the following OpenSSL command to merge the servername.cer and servername.key files into a servername.pfx file ready for import into IIS

openssl pkcs12 -export -out servername.pfx -inkey servername.key -in servername.cer

You'll be asked to provide a password, make a note of this as its required in the next step.

Step 6. Install the certificate on IIS

Open IIS manager on the server you wish to install the certificate and go to Server Certificates.

Use Import from the actions pane to import the .pfx file, you will be asked for the password from the previous step.

Once imported you will need to change the site binding, to do this select the site you wish to modify from the connections pane and then bindings from the actions pane. Select HTTPS and then edit. Select the certificate you just imported from the SSL certificate drop dopdown and then Okay and Close.

Open Chrome, browse to the site and hopefully you should fine a nice green padlock rather than an annoying security warning.

On another note when trying this in Firefox to confirm full compatibility I noticed that Firefox was not able to see the full certificate chain. 

This is due to Firefox not checking the local certificate store by default. 

To resolve this you can go to about:config and set the string security.enterprise_roots.enabled to True then restart the browser.

Barry Knox

Written by Barry Knox