This article describes how to add a subject alternative name (SAN) to a secure Lightweight Directory Access Protocol (LDAP) certificate.
Original KB number: 931351
The LDAP certificate is submitted to a certification authority (CA) that is configured on a Windows Server 2003-based computer. The SAN lets you connect to a domain controller by using a Domain Name System (DNS) name other than the computer name. This article includes information about how to add SAN attributes to a certification request that's submitted to an enterprise CA, a stand-alone CA, or a third-party CA.
This article also discusses how to do the following actions:
When you submit a certificate request to an enterprise CA, the certificate template must be configured to use the SAN in the request instead of using information from the Active Directory directory service. The Version 1 Web Server template can be used to request a certificate that will support LDAP over the Secure Sockets Layer (SSL). Version 2 templates can be configured to retrieve the SAN either from the certificate request or from Active Directory. To issue certificates that are based on Version 2 templates, the enterprise CA must be running on a computer that is running Windows Server 2003 Enterprise Edition.
When you submit a request to a stand-alone CA, certificate templates aren't used. Therefore, the SAN must always be included in the certificate request. SAN attributes can be added to a request that is created by using the Certreq.exe program. Or, SAN attributes can be included in requests that are submitted by using the web enrollment pages.
To submit a certificate request that contains a SAN to an enterprise CA, follow these steps:
Note The placeholder
Note The CA must be configured to issue web server certificates. You may have to add the Web Server template to the Certificate Templates folder in the Certification Authority snap-in if the CA is not already configured to issue web server certificates.
To submit a certificate request that includes a SAN to a stand-alone CA, follow these steps:
Note The placeholder
To use the Certreq.exe utility to create and submit a certificate request, follow these steps:
certreq -new request.inf certnew.req certreq -submit certnew.req certnew.cer This command submits the certificate request to the CA. If there's more than one CA in the environment, the -config switch can be used in the command line to direct the request to a specific CA. If you don't use the -config switch, you're prompted to select the CA to which the request should be submitted. The -config switch uses the following format to refer to a specific CA: computername\Certification Authority Name For example, assume that the CA name is Corporate Policy CA1 and that the domain name is corpca1.fabrikam.com . To use the certreq command together with the -config switch to specify this CA, type the following command:
certreq -submit -config "corpca1.fabrikam.com\Corporate Policy CA1" certnew.req certnew.cer certreq -retrieve RequestID certnew.cer certreq -accept certnew.cer If you want to submit a certificate request to a third-party CA, first use the Certreq.exe tool to create the certificate request file. You can then submit the request to the third-party CA by using whatever method is appropriate for that vendor. The third-party CA must be able to process certificate requests in the CMC format.
Most vendors refer to the certificate request as a Certificate Signing Request (CSR).
For more information about how to enable LDAP over SSL together with a third-party certification authority, see How to enable LDAP over SSL with a third-party certification authority.
For more information about how to request a certificate that has a custom subject alternative name, see How to Request a Certificate With a Custom Subject Alternative Name.
For more information about how to use certutil tasks to manage a certification authority (CA), go to the following Microsoft Developer Network (MSDN) website: Certutil tasks for managing a Certification Authority (CA)