How can I create a certificate using makecert with a 'Subject Alternative Name' field ?

You can add some fields eg, 'Enhanced Key Usage' with the -eku option and I've tried the -san option but makecert doesn't like it.

This is a self-signed certificate so any method that uses IIS to create something to send off to a CA won't be appropriate.

Makecert doesn't appear to support SANs so I created a certificate with SANs for use with IIS using OpenSSL. Check out my blog post about it:

IIS 7 provides some easy to use wizards to create SSL certificates, however not very powerful ones. What I needed to do was to create SSL certificates that included a x.509 V3 extension, namely subject alternative names, a.k.a SANs. What SANs do is allow the website certificate to validate incoming requests by more than one URL domain name. This is really important when the web server is running web services such as WCF services and when other web services connect to them over SSL connections as with service oriented architectures. Unless special code is added to the web services to override the default SSL validation handler routines, the common name (CN) of the certificate MUST match the incoming request URL domain. So if the request was made using an FQDN, the certificate must have the FQDN as a CN or a SAN, a IP address or just a hostname will cause an SSL validation error and the connection will fail.

SANs to the rescue… SANs support, among other things, DNS names and IP addresses. So by creating the certificate with SANs of the server FQDN and IP address, it increases the ways that other web services can connect.

There are a number of tools that can generate certificates: makecert.exe, keytool.exe (java), selfssl.exe and openssl.exe. In addition, starting with Windows Vista and Server 2008 Microsoft added the CertEnroll API which can also create certificates programmatically either through COM interfaces.

OpenSSL ended up doing exactly what I needed it to do. The process was fairly straight forward.

1. Construct an OpenSSL config file.

[req] distinguished_name = req_distinguished_name x509_extensions = v3_req prompt = no [req_distinguished_name] C = US ST = VA L = Somewhere O = MyOrg OU = MyOU CN = MyServerName [v3_req] keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = MyServerName DNS.2 = 10.0.1.34 IP.1 = 10.0.1.34 IP.2 = 192.167.20.1

2. Create x509 request with OpenSSL

openssl.exe req -x509 -nodes -days 730 -newkey rsa:2048 -keyout C:\cert.pem -out C:\cert.pem -config C:\PathToConfigFileAbove.txt

3. Create a PFX containing the keypair

openssl.exe pkcs12 -export -out C:\cert.pfx -in C:\cert.pem -name "My Cert" -passout pass:mypassword

4. Import the PFX into IIS using the import link in the server certificates area.

5. Bind the certificate to the IIS websites.

And viola, we know have a SSL certificate for IIS with SANs so we can connect using multiple domain names without certificate validation errors.

Source: Creating certificates with SANs using OpenSSL by Andy Arismeti, Thursday, September 1, 2011

An even easier way is to use the New-SelfSignedCertificate PowerShell commandlet, which includes a SAN by default. In a single command you can create the certificate and add it to the store.

New-SelfSignedCertificate -DnsName localhost -CertStoreLocation cert:\LocalMachine\My

Note that you need to run PowerShell as an administrator.

Makecert doesn't appear to support SANs so I created a certificate with SANs for use with IIS using OpenSSL. Check out my blog post about it:

IIS 7 provides some easy to use wizards to create SSL certificates, however not very powerful ones. What I needed to do was to create SSL certificates that included a x.509 V3 extension, namely subject alternative names, a.k.a SANs. What SANs do is allow the website certificate to validate incoming requests by more than one URL domain name. This is really important when the web server is running web services such as WCF services and when other web services connect to them over SSL connections as with service oriented architectures. Unless special code is added to the web services to override the default SSL validation handler routines, the common name (CN) of the certificate MUST match the incoming request URL domain. So if the request was made using an FQDN, the certificate must have the FQDN as a CN or a SAN, a IP address or just a hostname will cause an SSL validation error and the connection will fail.

SANs to the rescue… SANs support, among other things, DNS names and IP addresses. So by creating the certificate with SANs of the server FQDN and IP address, it increases the ways that other web services can connect.

There are a number of tools that can generate certificates: makecert.exe, keytool.exe (java), selfssl.exe and openssl.exe. In addition, starting with Windows Vista and Server 2008 Microsoft added the CertEnroll API which can also create certificates programmatically either through COM interfaces.

OpenSSL ended up doing exactly what I needed it to do. The process was fairly straight forward.

1. Construct an OpenSSL config file.

[req] distinguished_name = req_distinguished_name x509_extensions = v3_req prompt = no [req_distinguished_name] C = US ST = VA L = Somewhere O = MyOrg OU = MyOU CN = MyServerName [v3_req] keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = MyServerName DNS.2 = 10.0.1.34 IP.1 = 10.0.1.34 IP.2 = 192.167.20.1

2. Create x509 request with OpenSSL

openssl.exe req -x509 -nodes -days 730 -newkey rsa:2048 -keyout C:\cert.pem -out C:\cert.pem -config C:\PathToConfigFileAbove.txt

3. Create a PFX containing the keypair

openssl.exe pkcs12 -export -out C:\cert.pfx -in C:\cert.pem -name "My Cert" -passout pass:mypassword

4. Import the PFX into IIS using the import link in the server certificates area.

5. Bind the certificate to the IIS websites.

And viola, we know have a SSL certificate for IIS with SANs so we can connect using multiple domain names without certificate validation errors.

Source: Creating certificates with SANs using OpenSSL by Andy Arismeti, Thursday, September 1, 2011

Update

The certificate generated using the below makecert method does not work reliably in all browsers, because it does not actually generate a "Subject Alternative Name".

If you examine the certificate you will see that it does not actually have a Subject Alternative Name field, but instead specifies multiple CN in the Subject field.

E.g.

Subject:
CN = blah.foo.corp
CN = blah

Whereas a real "SAN" cert would have something like:

Subject Alternative Name:
DNS Name=blah.foo.corp
DNS Name=blah

To understand the differences and history between the "Subject" field with "Common Name" and the "Subject Alternative Name" field, I recommend reading The (soon to be) not-so Common Name.

So it appears that makecert cannot be used to generate a true "SAN" cert, and you will need to use other tools, such as openssl.

Original Answer:

At least with the version of makecert that comes with Visual Studio 2012, you can specify multiple subjects, simply by specifying a comma separated list -n "CN=domain1, CN=domain2"

E.g. (from the technet blog Makecert.exe SAN and Wildcard certificate)

makecert -r -pe -n "CN=*.fabrikam.com, CN=*.contoso.com" -b 01/01/2010 -e 01/01/2100 -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.3,1.3.6.1.5.5.7.3.4 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -len 2048