Agile Insider Blog

Enabling Subject Alternative Names (SAN) in Windows 2008 Certificate Server

Quick note from the field on enabling SAN support on Windows 2008 Certificate Server.

From the command line on the certificate server run:

  1. certutil –setreg policySubjectAltName enabled
  2. certutil –setreg policySubjectAltName2 enabled
  3. Restart the certificate service


Registry entries with Certificate Services (Windows 2003)

Registry Path



Windows Server 2003 and Windows 2000 Server

This setting uses an OID for the SubjAltName extension of an issued certificate. This setting is almost never used.

Registry Path



Windows Server 2003 and Windows 2000 Server

This setting makes it possible for a stand-alone CA to place in the SubjAltName extension of an issued certificate the e-mail address of the authenticated user making the certificate request. This setting is rarely used.

Certificate Deployment Planning

  • For user certificates, the Subject Alternative Name (SubjectAltName) extension, if used, must contain the user principal name (UPN). By default, the User certificate template is configured with the UPN.
  • For computer certificates, the SubjectAltName extension, if used, must contain the computer’s fully qualified domain name (FQDN), which is also called the DNS name. By default, the Workstation Authentication certificate template is not configured with this value and must be reconfigured to meet this requirement according to the instructions in Configure the Workstation Authentication Certificate Template.

Leave a comment

Learn More Today

Have questions or want to learn more about the services and solutions Agile IT has to offer?

Schedule a call with us today!

Schedule a Call

Request a Quote