First, create a certreq.inf file with the following contents:
Subject = "CN=hostname"
KeySpec = 1
KeyLength = 1024
Exportable = FALSE
MachineKeySet = TRUE
SMIME = FALSE
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
OID = 126.96.36.199.188.8.131.52.1
Next, create your request file by running certreq on the target machine as follows:
certreq -new c:\certreq.inf c:\servercert.req
This requires certreq from the 2003 admin tools (i think... maybe it's the reskit or support tools... can't remember) and the certreq.inf file in the root of C.
Jump onto your issuing CA (it is Windows Server 2003, isn't it?) and run the following (the first command should all be on one line):
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop "certificate services"
net start "certificate services"
Now take that servercert.req file and transfer it to your issuing CA. On the issuing CA, run (again, all on one line):
certreq -q -attrib "SAN:DNS=whatever.alternate.name.you.want" -submit c:\servercert.req
And that's it. Man I lost some sleep over that... glad it's sorted!