To create a CSR and include not only a CN (Common Name) but also a SAN(s) too, you can use the following process.
1. Firstly create a text file called request.inf and fill it with the following:
;----------------- request.inf -----------------
[Version]
Signature= $Windows NT$
[NewRequest]
Subject = "CN=host0.oaklands.ac.uk, OU=Department, O=Organisation, L=Town, S=County, C=Country" ; replace attributes in this line using example below
KeySpec = 1
KeyLength = 2048
; Can be 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
FriendlyName = vdm
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = Microsoft RSA SChannel Cryptographic Provider
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
[Extensions]
2.5.29.17 = "{text}"
_continue_ = "dns=host1.domain.com&"
_continue_ = "dns=host2.domain.com"
;-----------------------------------------------2. Now run this command to create a CSR:
> certreq -new request.inf certreq.txtYou can check it has the right info here: https://certlogik.com/decoder/ before sending to your CA.
3. Send this CSR to your CA, when you get the file back run the command below:
> certreq -accept cert.cer4. To ensure it has been added correctly, check the Certificate MMC snap-in.