Через certreq создать запрос на создание SAN-сертификата, ибо через GUI винда такого не делает:
Certreq.exe -new RequestPolicy.inf SAN_cert.req
Содержимое RequestPolicy.inf:
[Version]
Signature="$Windows NT$"
[NewRequest]
Subject = "SAN certificate" ; Remove to use an empty Subject name.
Exportable = TRUE ; TRUE = Private key is exportable
KeyLength = 2048 ; Valid key sizes: 1024, 2048, 4096, 8192, 16384
KeySpec = 1 ; Key Exchange – Required for encryption
KeyUsage = 0xA0 ; Digital Signature, Key Encipherment
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
RequestType = PKCS10 ; or CMC.
[EnhancedKeyUsageExtension]
; If you are using an enterprise CA the EnhancedKeyUsageExtension section can be omitted
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
OID=1.3.6.1.5.5.7.3.2 ; Client Authentication
[Extensions]
; If your client operating system is Windows Server 2008, Windows Server 2008 R2, Windows Vista, or Windows 7
; SANs can be included in the Extensions section by using the following text format. Note 2.5.29.17 is the OID for a SAN extension.
2.5.29.17 = "{text}"
_continue_ = "dns=domain.test&dns=*.domain.test&dns=domain.com&dns=*.domain.com&"
_continue_ = "url=http://*domain.test&"
_continue_ = "ipaddress=127.0.0.1&"
_continue_ = "email=admin@domain.com&"
_continue_ = "guid=d9c3ab41-b8ce-4ab4-aa58-3d1ff0e36b39&"
Certreq.exe -new RequestPolicy.inf SAN_cert.req
Содержимое RequestPolicy.inf:
[Version]
Signature="$Windows NT$"
[NewRequest]
Subject = "SAN certificate" ; Remove to use an empty Subject name.
Exportable = TRUE ; TRUE = Private key is exportable
KeyLength = 2048 ; Valid key sizes: 1024, 2048, 4096, 8192, 16384
KeySpec = 1 ; Key Exchange – Required for encryption
KeyUsage = 0xA0 ; Digital Signature, Key Encipherment
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
RequestType = PKCS10 ; or CMC.
[EnhancedKeyUsageExtension]
; If you are using an enterprise CA the EnhancedKeyUsageExtension section can be omitted
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
OID=1.3.6.1.5.5.7.3.2 ; Client Authentication
[Extensions]
; If your client operating system is Windows Server 2008, Windows Server 2008 R2, Windows Vista, or Windows 7
; SANs can be included in the Extensions section by using the following text format. Note 2.5.29.17 is the OID for a SAN extension.
2.5.29.17 = "{text}"
_continue_ = "dns=domain.test&dns=*.domain.test&dns=domain.com&dns=*.domain.com&"
_continue_ = "url=http://*domain.test&"
_continue_ = "ipaddress=127.0.0.1&"
_continue_ = "email=admin@domain.com&"
_continue_ = "guid=d9c3ab41-b8ce-4ab4-aa58-3d1ff0e36b39&"
GUID можно сформировать любой утилитой.
После выдачи сертификата сделать:
certreq -accept SAN_cert.cer
Комментариев нет:
Отправить комментарий