If you want to use Subject Alternative Names on internal SSL certificates issued by Active Directory Certificate Services you have to configure CA (Certificate Authority)
to accept SAN attribute from a certificate request.

By default (for security reasones) the AD CS CA does not issue certificates with SAN attribute.

Ability to connect without certificate issues (warning) to internal web server using a CNAME alias, FQDN or NetBios is one example where this becomes useful.

Run the following commands to configure CA:

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

net stop certsvc

net start certsvc


To add Subject Alternative Name to certificate add following to it’s attributes:


where dns_name is required Subject Alternative Name.

You can specify more names by separating them with an ampersand (&).


AD CS will accept the request and issue a certificate with Subject Alternative Names in it.

Remember to edit https bindings after installing certificate on your internal server (IIS).

Follow this reference guide from Technet: How to Request a Certificate With a Custom Subject Alternative Name: http://technet.microsoft.com/en-us/library/ff625722(WS.10).aspx#BKMK_Security

Another interesting web article with configuration sample: http://www.ldap389.info/en/2011/04/29/powershell-enterprise-ca-pki-create-san-certificate-iis-7-server-we/