We have a working internal certificate process and instructions on how to use it involving certreq
; however on Windows 11 it stopped generating SAN correctly.
Internal certreq template:
[Version]
Signature="$Windows NT§"
[NewRequest]
Subject = "CN=<machine-name>.domain-name,O=Cedaron,OU=<machine-name>,ST=California,L=Davis,C=US"
KeyLength = 2048
KeySpec = 1
Exportable = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
HashAlgorithm = SHA256
MachineKeySet = True
SMIME = False
UseExistingKeySet = False
RequestType = PKCS10
KeyUsage = 0xA0
Silent = True
FriendlyName = "Certificate SHA-256"
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
[Extensions]
2.5.29.17 = "{text}"
_continue_ = "dns=<machine-name>.domain-name&dns=<machine-name>&dns=localhost"
New template to try to fix the problem (DO NOT USE):
[Version]
Signature="$Windows NT§"
[NewRequest]
Subject = "CN=<machine-name>.domain-name,O=Cedaron,OU=<machine-name>,ST=California,L=Davis,C=US"
KeyLength = 2048
KeySpec = 1
Exportable = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
HashAlgorithm = SHA256
MachineKeySet = True
SMIME = False
UseExistingKeySet = False
RequestType = PKCS10
KeyUsage = 0xA0
Silent = True
FriendlyName = "Certificate SHA-256"
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
[RequestAttributes]
SAN="dns=<machine-name>.domain-name&dns=<machine-name>&"
I can see the request attribute for SAN in the file either way, but it's corrupted. I'm currently getting undefined: 0: hostname.domainnamemyusernamecertreq
Web searches find the same broken instructions still. For example: https://saketupadhyay.medium.com/how-to-create-a-certificate-signing-request-csr-in-2021-windows-11-10-156202d1bf97 This generates the necessary except for SAN is no longer filled.
Please specify if the command needs powershell. I don't mind using powershell but if you don't specify I'm going to key it into cmd.exe and wonder why it doesn't work.