How To Generate A Multi-Domain CSR On A Windows Server?

It is ideal to have a dedicated digital certificate for a domain/website. However, if you are going to have a dedicated digital certificate for each domain, you should buy certificates for all your domains. Let’s take a scenario of a large company that owns thousands of domains, subdomains, web services, and websites. Companies do not just create domains and host websites for public/client interactions. They create domains and host websites for their internal purposes like testing the development projects, creating DR, backup, or staging environments, costume protects for internal infrastructure monitoring, and managing or operating internal departments. There is no end for reasons. Such companies host a lot of web services for a limited amount of time. If they start buying certificates for all such reasons, they should reserve millions of dollars just to buy certificates. This is why companies always prefer buying multi-domain certificates. It lowers the burden of both Certificate Authority and Certificate owners. The next question comes in how to get a multi-domain certificate from a Certificate Authority. The simple answer to this question is to generate a multi-domain CSR (Certificate Signing Request) and submit the CSR to the Certificate Authority. If you don’t know how to generate a multi-domain CSR. This post is for you. This post will show you how to generate a multi-domain CSR on a Windows Server.

You can also generate a multi-domain CSR using OpenSSL, a cross-platform open-source certificate utility to manage PKI certificates. We have covered that in a different post. Please read the post to know How To Generate A CSR For A Multi-Domain SSL Certificate Using OpenSSL.

What Is A Multi-Domain/SAN Certificate?

Multi-domain certificates are certificates that can be used to validate more than one domain name. They are also known by two other names. 1. UCC, which stands for “unified communication certificate,” and 2. SAN (which stands for “subject alternative name”) certificates.

Well, suppose you ever created a Certificate Signing Request for a single domain certificate. In that case, you might be aware of the ‘common name’ field, which contains a Fully Qualified Domain Name (FQDN) for which the certificate is created. Well, if you think you will have multiple common names in a single SSL certificate, you are wrong. You will have only one common name, which is the primary domain of the certificate. In addition to that, you will have multiple Subject Alternative Names (SAN) or Alt Name or DNS Name in the certificate. Each SAN will serve as a common name. That’s why it is also called SAN certificate.

Let’s see an example of a multi-domain or SAN certificate:

If you create a certificate with this information, the certificate will secure all four domains. The same certificate can be used for any of the four domains.

CN (Common Name) = example.comDNS 1 = www.example.comDNS 2 = mydomain.comDNS 3 = exampledomain.com

What Is The Maximum Number Of Domain/SAN Are Allowed In An SSL Certificate?

Different Certificate Authorities have specified different maximum limits. Windows Certificate Authority has set the limit up to 4 Kb. However, RFC5280 Section 4.2.1. doesn’t specify the maximum limit. the range is defined as 1…MAX. The value of MAX is not specified.

How To Generate A Multi-Domain CSR On A Windows Server?

Let’s see how to generate a multi-domain CSR on a Windows Server that can be used to secure multiple domains. Let’s learn how to add multiple SAN, DNS, or Alt Names to the CSR.

Step 1. Open MMC on the Windows server

Hit Win + R to open the Run utilityType mmc in the box.Press Ok.

Step 2. Add Certificate Snap-in

Go to File > Add/Remove Snap-in..

Step 3. Select Certificates and press Add

Step 4. Select the User or Computer Certificate snap-in

Select the snap-in which you want to create the certificate. For demonstration, we are choosing a Compute account.Click Next.

Step 5. Select Local Computer

Select the local computer as you are going to create CSR on the same computer.Click Finish.

Step 6. Select Certificate (Local Computer) and click Ok

Step 7. Create Custom Request

Access your MMC snap-in> right-click the Personal folder.Select All Tasks > Advanced Operations > Create Custom Request.

Step 8. CSR generation wizard

The CSR generation wizard will open > Click Next.

Step 9. Proceed without enrollment policy

Select the option to Proceed without enrollment policy > Click Next.

Step 10. Click Next at the PKCS # 10 window.

Step 11. Edit Properties

From the Details drop-down menu > Click Properties.

Step 12. Enter a Friendly Name

Step 13. Add the CSR contents:

Access the Subject tab > in the Subject name: select the types (Common name) from the dropdown list and add the values required for your CSR. Just add the multiple DNS values as shown here. Each DNS represents a domain name.

Example:
CN = <thesecmaster.com>
DNS = <thecrypticworld.com>
DNS = <example.com>
DNS = <deals.com>
DNS = <domain>

Step 14. Set Private Key settings

Click the Private Key tab > click the drop-down for Key options > select Key size: 2048 and check the option to Make private key exportable > Click OK.

Step 15. Save the CSR file to a location.

Select Base 64 and Click Next > Click Browse.

Step 16. Select a location to save the CSR file. Enter a name for the file and click Save.

Step 17. Click Finish.

Step 18. The CSR file will be present at the location you saved it and can be used to request the SSL certificate as needed.

If you ever try opening a CSR from using a text editor, you will see a base64 encoded text. You should need to decode it to read the content of the CSR. Either you can use OpenSSL or online tools to decode the CSR. We want to introduce one such wonderful tool for you.

Namecheap: https://decoder.link/resultt

Copy and paste the content of your CSR here in the box and click Decode. It not only decodes the CSR but also reports any errors if it has.

We hope this post has helped you learn How to Generate a Multi-Domain CSR on A Windows Server. Thanks for reading this post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.