It is ideal to have a dedicated digital certificate for a domain/website. However, if you are going to have a dedicated digital certificate for each domain, you should buy certificates for all your domains. Let’s take a scenario of a large company that owns thousands of domains, subdomains, web services, and websites. Companies do not just create domains and host websites for public/client interactions. They create domains and host websites for their internal purpose like testing the development projects, creating DR, backup, or stagging environments, costume protects for internal infrastructure monitoring and managing or operating internal departments. There is no end for reasons. Such companies host a lot of web services for a limited amount of time. If they start buying certificates for all such reasons, they should reserve millions of dollars just to buy certificates. This is why companies always prefer buying multi-domain certificates. It lowers the burden of both Certificate Authority and Certificate owners. The next question comes in how to get a multi-domain certificate from a Certificate Authority. The simple answer to this question is to generate a multi-domain CSR (Certificate Signing Request) and submit the CSR to the Certificate Authority. If you don’t know how to generate a multi-domain CSR. This post is for you. This post will show you how to generate a multi-domain CSR on a Windows Server.
You can also generate a multi-domain CSR using OpenSSL, a cross-platform open-source certificate utility to manage PKI certificates. We have covered that in a different post. Please read the post to know How To Generate A CSR For A Multi-Domain SSL Certificate Using OpenSSL.
What Is A Multi-Domain/SAN Certificate?
Multi-domain certificates are certificates that can be used to validate more than one domain name. They are also known by two other names. 1. UCC, which stands for “unified communication certificate,” and 2. SAN (which stands for “subject alternative name”) certificates.
Well, suppose you ever created a Certificate Signing Request for a single domain certificate. In that case, you might be aware of the ‘common name’ field, which contains a Fully Qualified Domain Name (FQDN) for which the certificate is created. Well, if you think you will have multiple common names in a single SSL certificate, you are wrong. You will have only one common name, which is the primary domain of the certificate. In addition to that, you will have multiple Subject Alternative Names (SAN) or Alt Name or DNS Name in the certificate. Each SAN will serve as a common name. That’s why it is also called SAN certificate.
Let’s see an example of a multi-domain or SAN certificate:
If you create a certificate with this information, the certificate will secure all four domains. The same certificate can be used for any of the four domains.
CN (Common Name) = example.com
DNS 1 = www.example.com
DNS 2 = mydomain.com
DNS 3 = exampledomain.com
What Is The Maximum Number Of Domain/SAN Are Allowed In A SSL Certificate?
Different Certificate Authorities have specified different maximum limits. Windows Certificate Authority has set the limit up to 4 Kb. However, RFC5280 Section 4.2.1. doesn’t specify the maximum limit. the range is defined as 1…MAX. The value of MAX is not specified.
How To Generate A Multi-Domain CSR On A Windows Server?
Let’s see how to generate a multi-domain CSR on a Windows Server that can be used to secure multiple domains. Let’s learn how to add multiple SAN, DNS, or Alt Names to the CSR.
Time needed: 5 minutes.
How to generate a multi-domain CSR in a Windows server?
- Open MMC in Windows serverHit Win + R to open the Run utility
Type mmc in the box.
- Add Certificate Snap-inGo to File > Add/Remove Snap-in..
- Select Certificates and press Add
- Select the User or Computer Certificate snap-inSelect the snap-in which you want to create the certificate. For demonstration we are choosing Compute account.
- Select Local ComputerSelect local computer as you are going to create CSR on the same computer.
- Select Certificate (Local Computer) and click Ok
- Create Custom RequestAccess your MMC snap in > right click the Personal folder.
Select All Tasks > Advanced Operations > Create Custom Request.
- CSR generation wizardThe CSR generation wizard will open > Click Next.
- Proceed without enrollment policySelect the option to Proceed without enrollment policy > Click Next.
- Click Next at the PKCS # 10 window.
- Edit PropertiesFrom the Details drop-down menu > Click Properties.
- Enter a Friendly Name
- Add the CSR contents:Access the Subject tab > in the Subject name: select the types (Common name) from the dropdown list and add the values required for your CSR. Just add the multiple DNS values as shone here. Each DNS represents a domain name.
CN = <securitymaster.dev>
DNS = <thecrypticworld.com>
DNS = <example.com>
DNS = <deals.com>
DNS = <domain>
- Set Private Key settingsClick the Private Key tab > click the drop-down for Key options > select Key size: 2048 and check the option to Make private key exportable > Click OK.
- Save the CSR file to a location.Select Base 64 and Click Next > Click Browse.
- Select a location to save the CSR file. Enter a name for the file and click Save.
- Click Finish.
- The CSR file will be present at the location you saved it and can be used to request the SSL certificate as needed.
If you ever try opening a CSR from using a text editor, you will see a base64 encoded text. You should need to decode it to read the content of the CSR. Either you can use OpenSSL or online tools to decode the CSR. We want to introduce one such wonderful tool for you.
Copy and paste the content of your CSR here in the box and click Decode. It not just decode the CSR but also report for any errors if it has.