First off if you don’t have OpenSSL you’ll need to get a copy.
If you’re using windows and are looking for convenience then I would suggest you download the SSL install provided here
If you’re using Linux, then you more than likely have it already or if not I’m sure you know how to get it.
This guide is based on a Windows install but should translate to any OS.
Step 1. Add one or more SANs into your CSR with OpenSSL
Browse to C:\OpenSSL-Win32\bin
Copy the default openssl.cfg file to a mysettings.cfg file
Edit the mysettings.cfg file and add these additional required parameters
req_extensions = v3_req (this option is commented out so you can simply remove the #)
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
DNS.1 = server1.example.local
DNS.2 = mail.example.local
DNS.3 = www.example.local
DNS.4 = www.sub.example.local
DNS.5 = mx.example.local
DNS.6 = support.example.local
Add the alternate names to the list using the format above so if your certificate CN is server1.example.local then add that as shown above.
Save the config file.
Step 2. Generate the CSR using OpenSSL
Open a command prompt in C:\OpenSSL-Win32\bin
Run the following command to generate the CSR and keyfiles.
openssl req -new -newkey rsa:2048 -nodes -keyout servername.key -subj "/C=GB/ST=State/L=City/O=Organisation/OU=OU/CN=server1.example.local/emailAddressfirstname.lastname@example.org/" -out servername.csr -config mysettings.cfg
This will generate a yourserverhsotname.key and yourservername.csr in the bin directory.
Keep the command prompt open.
Step 3. Check multiples SANs in your CSR using OpenSSL
In the command prompt window run the following command to display an output of the CSR which will display the SAN's.
openssl req -text -noout -in newserverreq.csr
Step 4. Submit the CSR to your Microsoft CA
Copy the servername.csr file to you CA server, in this example its been placed in the directory c:\csr\
Open a command prompt and run the below command.
certreq -submit -attrib "CertificateTemplate:WebServer" c:\csr\servername.csr
This assumes you have the default Web Server template active on your CA, if you have a customised template the name can be changed.
Select your certificate authority and hit OK, you'll then be prompted to save the .cer file.
Copy this file back to your OpenSSL bin folder.
Step 5. Conver the CER file to PFX
Run the following OpenSSL command to merge the servername.cer and servername.key files into a servername.pfx file ready for import into IIS
openssl pkcs12 -export -out servername.pfx -inkey servername.key -in servername.cer
You'll be asked to provide a password, make a note of this as its required in the next step.
Step 6. Install the certificate on IIS
Open IIS manager on the server you wish to install the certificate and go to Server Certificates.
Use Import from the actions pane to import the .pfx file, you will be asked for the password from the previous step.
Once imported you will need to change the site binding, to do this select the site you wish to modify from the connections pane and then bindings from the actions pane. Select HTTPS and then edit. Select the certificate you just imported from the SSL certificate drop dopdown and then Okay and Close.
Open Chrome, browse to the site and hopefully you should fine a nice green padlock rather than an annoying security warning.
On another note when trying this in Firefox to confirm full compatibility I noticed that Firefox was not able to see the full certificate chain.
This is due to Firefox not checking the local certificate store by default.
To resolve this you can go to about:config and set the string security.enterprise_roots.enabled to True then restart the browser.