Add SAN names to existing request

Apr 13, 2015 at 2:04 PM
I'm trying to use the example on the Set-CertificateExtension page but I'm having an issue and not sure what I'm doing wrong.

Here is the PowerShell code I'm using to add the SAN names

$SANNames = @("mail.shilab.com",
              "autodiscover.shilab.com")

# Create san name collection
$AlternateNames = New-Object Security.Cryptography.X509Certificates.X509AlternativeNameCollection

# Add names to collection
foreach($Name in $SANNames){
    $AlternateNames.Add($(New-Object Security.Cryptography.X509Certificates.X509AlternativeName "DnsName",$Name))
    
}

# Create extension to CSR
$SAN = New-Object Security.Cryptography.X509Certificates.X509SubjectAlternativeNamesExtension $AlternateNames

# Get handle to CA
$CA = Get-CertificationAuthority -ComputerName shilabca1.shilab.local

# Add SAN extension to request
Get-PendingRequest -CertificationAuthority $CA -RequestID 19 | Set-CertificateExtension -Extension $SAN
This is the CSR I submitted to my Subordinate enterprise CA
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIFajCCBFICAQAwVjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5KMREwDwYDVQQH
DAhTb21lcnNldDEPMA0GA1UECgwGU0hJTGFiMRYwFAYDVQQDDA10cy5zaGlsYWIu
Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAju3jXb3iioe5Gk6W
TLm7Bqas/zI4QpnoyeQ07TT+e1lhD0Agx7zx5Sg0OwLD/RAaYEPLEBMs588cruy7
rJBkwwwCpv8+WNRr5lFLPv/tJ0qP+ywX2DmSJQEgXtNKxTFTPxD2Q4MYfXRNycyy
dLEr6Ecn/zYODvYHdt2BViEkCUWfpio7H1IhUfLSMdWFgTauJ1olprfxeBeo2QNb
nTDNaThIr8K4YUwgE894LtZYDdfZG04M0Okexm0GiGdvvKt3MZBuG4Fk2ml+xIc3
alhMYR1UigtPOd9H7dtqnMJdt3rCVx43cGeJ7MUXRQoLooYS7g5Zkip4+O1uMfaM
PBdO/QIDAQABoIICzTAaBgorBgEEAYI3DQIDMQwWCjYuMi45MjAwLjIwRgYJKwYB
BAGCNxUUMTkwNwIBCQwYc2hpbGFicmRwZ3cuc2hpbGFiLmxvY2FsDA9TSElMQUJc
ZG1hcnF1ZXMMB2NlcnRyZXEwcgYKKwYBBAGCNw0CAjFkMGICAQEeWgBNAGkAYwBy
AG8AcwBvAGYAdAAgAFIAUwBBACAAUwBDAGgAYQBuAG4AZQBsACAAQwByAHkAcAB0
AG8AZwByAGEAcABoAGkAYwAgAFAAcgBvAHYAaQBkAGUAcgMBADB0BgorBgEEAYI3
DQIBMWYwZB4mAEMAZQByAHQAaQBmAGkAYwBhAHQAZQBUAGUAbQBwAGwAYQB0AGUe
OgBTAEgASQBMAGEAYgBTAGEAbgBXAGUAYgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkA
ZgBpAGMAYQB0AGUwggF7BgkqhkiG9w0BCQ4xggFsMIIBaDA9BgkrBgEEAYI3FQcE
MDAuBiYrBgEEAYI3FQiBrMMwhJjnQIfllRDzyB+Ds94egQGG8/hehfeCMgIBZAIB
DDAbBgkrBgEEAYI3FQoEDjAMMAoGCCsGAQUFBwMBMA4GA1UdDwEB/wQEAwIFoDAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwQgYDVR0RBDswOYINdHMuc2hp
bGFiLmNvbYIPbWFpbC5zaGlsYWIuY29tghdhdXRvZGlzY292ZXIuc2hpbGFiLmNv
bTB4BgkqhkiG9w0BCQ8EazBpMA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAIC
AIAwCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBLTALBglghkgBZQMEAQIwCwYJYIZI
AWUDBAEFMAcGBSsOAwIHMAoGCCqGSIb3DQMHMB0GA1UdDgQWBBShGcjWqMae0RUv
SPstnIGUayi2LzANBgkqhkiG9w0BAQUFAAOCAQEASz4XTD8BuT0A81M/y1CWqfYz
lFbwv8ZftYrldtlugGlcTskH88UKrroLdack6Ll9hSB5nzhKItJxIInq/Ad2++4g
tuPHK6GkWq24NCrl+c/Ks7Twl9AyxRSSOkblpJzXhD42YsaJXKOHaEBBbFzfOTkY
IOZbIt/f7jRNBzqW8F7O5AynoItOKWjfNLCpSQtkarfaz3Rk3fuSLX4XhLG6Sw1G
/x5bUTLweaTWL6UnxBERuxu8EdI5oUZgLWHc+bB7Sm8IuZSs2x83dH8vmFX4HRAi
a4z7FZ2JXA2D3mUYYh19m7TwLZOjAYsGrhpiQ1fCG7EFiLKAiUlIupir4NNnZw==
-----END NEW CERTIFICATE REQUEST-----
The subject name in the CSR is ts.shilab.com. After the certificate is submitted, the SAN extension added and the certificate issued, I apply it to my IIS 8.5 site. When I attempt to access the site by the subject name ts.shilab.com I get an error in IE stating the certificate name doesn't match the name I put in the browser. However, if I use mail.shilab.com or autodiscover.shilab.com it works with no issue. What am I doing wrong? I've tried to add ts.shilab.com to the SAN extension but receive an error when I run Set-CertificateExtension
Coordinator
Apr 13, 2015 at 2:46 PM
I've tried to add ts.shilab.com to the SAN extension but receive an error when I run Set-CertificateExtension
what error you receive?

looking at your request and it contains all mentioned names:
    2.5.29.17: Flags = 0, Length = 3b
    Subject Alternative Name
        DNS Name=ts.shilab.com
        DNS Name=mail.shilab.com
        DNS Name=autodiscover.shilab.com
IE should not complain when accessing "ts.shilab.com" name.
Apr 13, 2015 at 3:02 PM
Sorry I posted the wrong CSR. In the CSR I had attached, I had added in the SAN information. Below is the CSR I was testing with that through the error.
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIFJjCCBA4CAQAwVjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5KMREwDwYDVQQH
DAhTb21lcnNldDEPMA0GA1UECgwGU0hJTGFiMRYwFAYDVQQDDA10cy5zaGlsYWIu
Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6xI7Et+KD/v/5vfm
mqm00NXPT2Mt/Aruku+L4AxLd8wRpz01YoS8um7Cq+KTxKE1hciX1llpMZz5rHgP
DWrFS4NW+ZiNG9gyciYtZ3K6Ep3mCg26CygtwMPZ46eyn8OCTnooW9bkRMSrpDLb
pWHoeZSh3JDOVwKS2DQdFrCz+eQKVOWWnOpaFzfTMDuX2f0S5yN8BpDI8CqtRRwg
5TyOrpETDZCj3q5EXlqltjuFxYht59Y/b4KDbmRspUNFd4dY7xJRoIFhKRNHGc18
xSQbLtZt2FXDL5PHLLnJB2RbDtIl1osGiQMxkPsbtfCNovkiAZ3/QqtcDZA7/xhG
MmLrBQIDAQABoIICiTAaBgorBgEEAYI3DQIDMQwWCjYuMi45MjAwLjIwRgYJKwYB
BAGCNxUUMTkwNwIBCQwYc2hpbGFicmRwZ3cuc2hpbGFiLmxvY2FsDA9TSElMQUJc
ZG1hcnF1ZXMMB2NlcnRyZXEwcgYKKwYBBAGCNw0CAjFkMGICAQEeWgBNAGkAYwBy
AG8AcwBvAGYAdAAgAFIAUwBBACAAUwBDAGgAYQBuAG4AZQBsACAAQwByAHkAcAB0
AG8AZwByAGEAcABoAGkAYwAgAFAAcgBvAHYAaQBkAGUAcgMBADB0BgorBgEEAYI3
DQIBMWYwZB4mAEMAZQByAHQAaQBmAGkAYwBhAHQAZQBUAGUAbQBwAGwAYQB0AGUe
OgBTAEgASQBMAGEAYgBTAGEAbgBXAGUAYgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkA
ZgBpAGMAYQB0AGUwggE3BgkqhkiG9w0BCQ4xggEoMIIBJDA9BgkrBgEEAYI3FQcE
MDAuBiYrBgEEAYI3FQiBrMMwhJjnQIfllRDzyB+Ds94egQGG8/hehfeCMgIBZAIB
DDAbBgkrBgEEAYI3FQoEDjAMMAoGCCsGAQUFBwMBMA4GA1UdDwEB/wQEAwIFoDAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIweAYJKoZIhvcNAQkPBGswaTAO
BggqhkiG9w0DAgICAIAwDgYIKoZIhvcNAwQCAgCAMAsGCWCGSAFlAwQBKjALBglg
hkgBZQMEAS0wCwYJYIZIAWUDBAECMAsGCWCGSAFlAwQBBTAHBgUrDgMCBzAKBggq
hkiG9w0DBzAdBgNVHQ4EFgQUhcII8/0JOtMkgw9RgkKfNYGL/q8wDQYJKoZIhvcN
AQEFBQADggEBAB9qQdIRVUdfrnB2Y4+XhjIaPTyPWkp9kBqWJ83wAX4XKq9Q3Zyh
W1X/hmFiiR6NxxdaCMYQoWm/XcUHecrcQAZKg4XTnXd9ns+KcM8+K1Z/ep5FJrmn
8QzPPLdrRGFjUY51GgHNiaPf+EA22xWzz7IdmGcRkDeK8XpGr56MKgitmwx1isgA
fVJVP6MR8I1r/Ug+jfDK01ixi/5bHzSnVj98jwHZPCQ4FTYMSOrUmwfZfKGI2ZAg
eshrlnP1Lvqh3fmBiypSoLR5xDPGWSWZo4rVewwQXszaH6Ww51n8xDPgktnhHxIW
MWFp3rg8F76cTd+eeUfXtXwRkJGZ+7uZO6Y=
-----END NEW CERTIFICATE REQUEST-----
In this CSR there is no SAN information, only the subject of ts.shilab.com. I would like to add SAN names to the request. Below is the error I was getting
Exception calling "DecodeDerString" with "1" argument(s): "Index was outside the bounds of the array."
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\pspki\Server\Set-CertificateExtension.ps1:35 char:6
+                     $derValue = [PKI.ASN.ASN1]::DecodeDerString($ext.RawData)
+                     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : IndexOutOfRangeException
 
Exception calling "SetCertificateExtension" with "6" argument(s): "CCertAdmin::SetCertificateExtension: The data is invalid. 
0x8007000d (WIN32: 13 ERROR_INVALID_DATA)"
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\pspki\Server\Set-CertificateExtension.ps1:37 char:7
+                         $CertAdmin.SetCertificateExtension($Req.ConfigString,$Req.RequestID,$ext.O ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : ComMethodTargetInvocation
The process I'm following is:
1) CSR is generated
2) CSR submited to subordinate enterprise CA
3) Use Set-CertificateExtension to add SAN names to request
4) Approve request
5) Send certificate to end user

I have run certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2 on my subordinate CA and restarted services.
Coordinator
Apr 13, 2015 at 3:13 PM
I have run certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2 on my subordinate CA and restarted
please, remove this setting immediately.

I will check what is wrong with BSTR.
Apr 13, 2015 at 3:23 PM
I've removed the setting. I thought it was required if I wanted to add SAN names to CSRs that do not have them in the CSR encoded data.
Coordinator
Apr 13, 2015 at 3:26 PM
this setting was necessary to submit SAN as attribute, not authenticated extension. This setting opens a big hole in your PKI, because any request can pass arbitrary SAN value. And impersonate any user.