Scripting Certificate Requests with a Subject Alternative Name...

Man I can't believe how difficult it was to track this down... it seems everywhere on the web has 99% of the info, but give examples for uses like DC auth and SmartCard enrollment... I finally figured it out with a bit of trial and error though, so here's how you would issue a certificate for plain old server authentication (ie SSL) with a subject alternative name.

First, create a certreq.inf file with the following contents:

[NewRequest]
Subject = "CN=hostname"
KeySpec = 1
KeyLength = 1024
Exportable = FALSE
MachineKeySet = TRUE
SMIME = FALSE
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
OID = 1.3.6.1.5.5.7.3.1

Next, create your request file by running certreq on the target machine as follows:

certreq -new c:\certreq.inf c:\servercert.req

This requires certreq from the 2003 admin tools (i think... maybe it's the reskit or support tools... can't remember) and the certreq.inf file in the root of C.

Jump onto your issuing CA (it is Windows Server 2003, isn't it?) and run the following (the first command should all be on one line):

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop "certificate services"
net start "certificate services"

Now take that servercert.req file and transfer it to your issuing CA. On the issuing CA, run (again, all on one line):

certreq -q -attrib "SAN:DNS=whatever.alternate.name.you.want" -submit c:\servercert.req

And that's it. Man I lost some sleep over that... glad it's sorted!