So, I have no idea how I got this to work yesterday, I did some further work and removed the workign certificate then could not get it to work again???? On inspecting the certificates that were being generated I could see there was no SAN entries??? But no errors were generated. I tried on the CLI of the CA server, and got the same, certificates were generated with no errors but no SAN 😞 I tried on the CLI of the CA server, but using our old CA to generate the cert, certificates were generated with no errors but and SAN was listed. Bit of furhter researcha nd discovered that you can enable/disable SAN on certificates.. There are policies for certificate creation and one is ( EDITF_ATTRIBUTESUBJECTALTNAME2 ) for SAN. It's a registry key but, we can also do this To view the policy we use... certutil -getreg policy\EditFlags HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\cumberland-PROD-MSAPP01-CA-1\PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\EditFlags: EditFlags REG_DWORD = 11014e (1114446) EDITF_REQUESTEXTENSIONLIST -- 2 EDITF_DISABLEEXTENSIONLIST -- 4 EDITF_ADDOLDKEYUSAGE -- 8 EDITF_BASICCONSTRAINTSCRITICAL -- 40 (64) EDITF_ENABLEAKIKEYID -- 100 (256) EDITF_ENABLEDEFAULTSMIME -- 10000 (65536) EDITF_ENABLECHASECLIENTDC -- 100000 (1048576) CertUtil: -getreg command completed successfully. And to update the policy certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2 Old Value: EditFlags REG_DWORD = 11014e (1114446) EDITF_REQUESTEXTENSIONLIST -- 2 EDITF_DISABLEEXTENSIONLIST -- 4 EDITF_ADDOLDKEYUSAGE -- 8 EDITF_BASICCONSTRAINTSCRITICAL -- 40 (64) EDITF_ENABLEAKIKEYID -- 100 (256) EDITF_ENABLEDEFAULTSMIME -- 10000 (65536) EDITF_ENABLECHASECLIENTDC -- 100000 (1048576) New Value: EditFlags REG_DWORD = 15014e (1376590) EDITF_REQUESTEXTENSIONLIST -- 2 EDITF_DISABLEEXTENSIONLIST -- 4 EDITF_ADDOLDKEYUSAGE -- 8 EDITF_BASICCONSTRAINTSCRITICAL -- 40 (64) EDITF_ENABLEAKIKEYID -- 100 (256) EDITF_ENABLEDEFAULTSMIME -- 10000 (65536) EDITF_ATTRIBUTESUBJECTALTNAME2 -- 40000 (262144) EDITF_ENABLECHASECLIENTDC -- 100000 (1048576) CertUtil: -setreg command completed successfully. The CertSvc service may need to be restarted for changes to take effect. After restarting CERT Service, SAN creation now works. I can now create a certificate with SAN names for all our firewalls and that will be accepted by Chrome. Rob
... View more