• Home
  • |
  • Blog
  • |
  • How To Generate A Multi-Domain CSR On A Windows Server?
How to Generate a Multi-Domain CSR on A Windows Server

It is ideal to have a dedicated digital certificate for a domain/website. However, if you are going to have a dedicated digital certificate for each domain, you should buy certificates for all your domains. Let’s take a scenario of a large company that owns thousands of domains, subdomains, web services, and websites. Companies do not just create domains and host websites for public/client interactions. They create domains and host websites for their internal purpose like testing the development projects, creating DR, backup, or stagging environments, costume protects for internal infrastructure monitoring and managing or operating internal departments. There is no end for reasons. Such companies host a lot of web services for a limited amount of time. If they start buying certificates for all such reasons, they should reserve millions of dollars just to buy certificates. This is why companies always prefer buying multi-domain certificates. It lowers the burden of both Certificate Authority and Certificate owners. The next question comes in how to get a multi-domain certificate from a Certificate Authority. The simple answer to this question is to generate a multi-domain CSR (Certificate Signing Request) and submit the CSR to the Certificate Authority. If you don’t know how to generate a multi-domain CSR. This post is for you. This post will show you how to generate a multi-domain CSR on a Windows Server.

You can also generate a multi-domain CSR using OpenSSL, a cross-platform open-source certificate utility to manage PKI certificates. We have covered that in a different post. Please read the post to know How To Generate A CSR For A Multi-Domain SSL Certificate Using OpenSSL.

What Is A Multi-Domain/SAN Certificate?

Multi-domain certificates are certificates that can be used to validate more than one domain name. They are also known by two other names. 1. UCC, which stands for “unified communication certificate,” and 2. SAN (which stands for “subject alternative name”) certificates.

Well, suppose you ever created a Certificate Signing Request for a single domain certificate. In that case, you might be aware of the ‘common name’ field, which contains a Fully Qualified Domain Name (FQDN) for which the certificate is created. Well, if you think you will have multiple common names in a single SSL certificate, you are wrong. You will have only one common name, which is the primary domain of the certificate. In addition to that, you will have multiple Subject Alternative Names (SAN) or Alt Name or DNS Name in the certificate. Each SAN will serve as a common name. That’s why it is also called SAN certificate.

Let’s see an example of a multi-domain or SAN certificate:

If you create a certificate with this information, the certificate will secure all four domains. The same certificate can be used for any of the four domains.

CN (Common Name) = example.com
DNS 1 = www.example.com
DNS 2 = mydomain.com
DNS 3 = exampledomain.com

What Is The Maximum Number Of Domain/SAN Are Allowed In A SSL Certificate?

Different Certificate Authorities have specified different maximum limits. Windows Certificate Authority has set the limit up to 4 Kb. However, RFC5280 Section 4.2.1. doesn’t specify the maximum limit. the range is defined as 1…MAX. The value of MAX is not specified.

How To Generate A Multi-Domain CSR On A Windows Server?

Let’s see how to generate a multi-domain CSR on a Windows Server that can be used to secure multiple domains. Let’s learn how to add multiple SAN, DNS, or Alt Names to the CSR.

Time needed: 5 minutes.

How to generate a multi-domain CSR in a Windows server?

  1. Open MMC in Windows server

    Hit Win + R to open the Run utility
    Type mmc in the box.
    Press Ok.
    Open mmc in Windows Server

  2. Add Certificate Snap-in

    Go to File > Add/Remove Snap-in..Add Certificate Snap-in

  3. Select Certificates and press Add

    Certificate Snap-in

  4. Select the User or Computer Certificate snap-in

    Select the snap-in which you want to create the certificate. For demonstration we are choosing Compute account.
    Click Next.
    Select Computer account

  5. Select Local Computer

    Select local computer as you are going to create CSR on the same computer.
    Click Finish.Select Local Computer

  6. Select Certificate (Local Computer) and click Ok

    Select Local Computer snap-in

  7. Create Custom Request

    Access your MMC snap in > right click the Personal folder.
    Select All Tasks > Advanced Operations > Create Custom Request.Create-Custom-CSR-request

  8. CSR generation wizard

    The CSR generation wizard will open > Click Next.CSR generation wizard

  9. Proceed without enrollment policy

    Select the option to Proceed without enrollment policy > Click Next.Proceed without enrollment policy

  10. Click Next at the PKCS # 10 window.

    select PKCS # 10

  11. Edit Properties

    From the Details drop-down menu > Click Properties.Edit Properties

  12. Enter a Friendly Name

    Give a name

  13. Add the CSR contents:

    Access the Subject tab > in the Subject name: select the types (Common name) from the dropdown list and add the values required for your CSR. Just add the multiple DNS values as shone here. Each DNS represents a domain name.

    Example:
    CN =
    <thesecmaster.com>
    DNS = <thecrypticworld.com>
    DNS = <example.com>
    DNS = <deals.com>
    DNS =
    <domain>


    multi-domain CSR on Windows Server

  14. Set Private Key settings

    Click the Private Key tab > click the drop-down for Key options > select Key size: 2048 and check the option to Make private key exportable > Click OK.Set Private Key Settings

  15. Save the CSR file to a location.

    Select Base 64 and Click Next > Click Browse.Save CSR file

  16. Select a location to save the CSR file. Enter a name for the file and click Save.

    Chose location to save CSR file

  17. Click Finish.

    Fisish

  18. The CSR file will be present at the location you saved it and can be used to request the SSL certificate as needed.

If you ever try opening a CSR from using a text editor, you will see a base64 encoded text. You should need to decode it to read the content of the CSR. Either you can use OpenSSL or online tools to decode the CSR. We want to introduce one such wonderful tool for you.

amecheap: https://decoder.link/resultt

Copy and paste the content of your CSR here in the box and click Decode. It not just decode the CSR but also report for any errors if it has.

We hope this post has helped you learn How to Generate a Multi-Domain CSR on A Windows Server. Thanks for reading this post. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this. 

About the author

Arun KL

Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.