Skip to main content

 

It is ideal to have a dedicated digital certificate for a domain/website. However, if you are going to have a dedicated digital certificate for each domain, you should buy certificates for all your domains. Let’s take a scenario of a large company that owns thousands of domains, subdomains, web services, and websites. Companies do not just create domains and host websites for public/client interactions. They create domains and host websites for their internal purpose like testing the development projects, creating DR, backup, or stagging environments, costume protects for internal infrastructure monitoring and managing or operating internal departments. There is no end for reasons. Such companies host a lot of web services for a limited amount of time. If they start buying certificates for all such reasons, they should reserve millions of dollars just to buy certificates. This is why companies always prefer buying multi-domain certificates. It lowers the burden of both Certificate Authority and Certificate owners. The next question comes in how to get a multi-domain certificate from a Certificate Authority. The simple answer to this question is to generate a multi-domain CSR (Certificate Signing Request) and submit the CSR to the Certificate Authority. If you don’t know how to generate a multi-domain CSR. This post is for you. This post will show you how to generate a multi-domain CSR on a Windows Server.

You can also generate a multi-domain CSR using OpenSSL, a cross-platform open-source certificate utility to manage PKI certificates. We have covered that in a different post. Please read the post to know How To Generate A CSR For A Multi-Domain SSL Certificate Using OpenSSL.

What Is A Multi-Domain/SAN Certificate?

Multi-domain certificates are certificates that can be used to validate more than one domain name. They are also known by two other names. 1. UCC, which stands for “unified communication certificate,” and 2. SAN (which stands for “subject alternative name”) certificates.

Well, suppose you ever created a Certificate Signing Request for a single domain certificate. In that case, you might be aware of the ‘common name’ field, which contains a Fully Qualified Domain Name (FQDN) for which the certificate is created. Well, if you think you will have multiple common names in a single SSL certificate, you are wrong. You will have only one common name, which is the primary domain of the certificate. In addition to that, you will have multiple Subject Alternative Names (SAN) or Alt Name or DNS Name in the certificate. Each SAN will serve as a common name. That’s why it is also called SAN certificate.

Let’s see an example of a multi-domain or SAN certificate:

If you create a certificate with this information, the certificate will secure all four domains. The same certificate can be used for any of the four domains.

CN (Common Name) = example.com
DNS 1 = www.example.com
DNS 2 = mydomain.com
DNS 3 = exampledomain.com

What Is The Maximum Number Of Domain/SAN Are Allowed In A SSL Certificate?

Different Certificate Authorities have specified different maximum limits. Windows Certificate Authority has set the limit up to 4 Kb. However, RFC5280 Section 4.2.1. doesn’t specify the maximum limit. the range is defined as 1…MAX. The value of MAX is not specified.

 

How To Generate A Multi-Domain CSR On A Windows Server?

Let’s see how to generate a multi-domain CSR on a Windows Server that can be used to secure multiple domains. Let’s learn how to add multiple SAN, DNS, or Alt Names to the CSR.

Time needed: 5 minutes.

How to generate a multi-domain CSR in a Windows server?

  1. Open MMC in Windows serverHit Win + R to open the Run utility
    Type mmc in the box.
    Press Ok.
    Open mmc in Windows Server
  2. Add Certificate Snap-inGo to File > Add/Remove Snap-in..Add Certificate Snap-in
  3. Select Certificates and press AddCertificate Snap-in
  4. Select the User or Computer Certificate snap-inSelect the snap-in which you want to create the certificate. For demonstration we are choosing Compute account.
    Click Next.
    Select Computer account
  5. Select Local ComputerSelect local computer as you are going to create CSR on the same computer.
    Click Finish.Select Local Computer
  6. Select Certificate (Local Computer) and click OkSelect Local Computer snap-in
  7. Create Custom RequestAccess your MMC snap in > right click the Personal folder.
    Select All Tasks Advanced Operations Create Custom Request.Create-Custom-CSR-request
  8. CSR generation wizardThe CSR generation wizard will open > Click Next.CSR generation wizard
  9. Proceed without enrollment policySelect the option to Proceed without enrollment policy > Click Next.Proceed without enrollment policy
  10. Click Next at the PKCS # 10 window.select PKCS # 10
  11. Edit PropertiesFrom the Details drop-down menu > Click Properties.Edit Properties
  12. Enter a Friendly NameGive a name
  13. Add the CSR contents:Access the Subject tab > in the Subject name: select the types (Common name) from the dropdown list and add the values required for your CSR. Just add the multiple DNS values as shone here. Each DNS represents a domain name.

    Example:
    CN = 
    <securitymaster.dev>
    DNS = <thecrypticworld.com>
    DNS = <example.com>
    DNS = <deals.com>
    DNS = 
    <domain>


    multi-domain CSR on Windows Server
  14. Set Private Key settingsClick the Private Key tab > click the drop-down for Key options > select Key size: 2048 and check the option to Make private key exportable > Click OK.Set Private Key Settings
  15. Save the CSR file to a location.Select Base 64 and Click Next > Click Browse.Save CSR file
  16. Select a location to save the CSR file. Enter a name for the file and click Save.Chose location to save CSR file
  17. Click Finish.Fisish
  18. The CSR file will be present at the location you saved it and can be used to request the SSL certificate as needed.

If you ever try opening a CSR from using a text editor, you will see a base64 encoded text. You should need to decode it to read the content of the CSR. Either you can use OpenSSL or online tools to decode the CSR. We want to introduce one such wonderful tool for you.

amecheap: https://decoder.link/resultt

Copy and paste the content of your CSR here in the box and click Decode. It not just decode the CSR but also report for any errors if it has.

Leave a Reply