For some time now Chrome is not supporting self signed certificates without a SAN (Subject Alternative Name) anymore. (Google Article) Thus the need to create a self signed certificate with one.

#Step 1
* Run “certlm.msc” to open the Certificate Store of the Local Computer.
* Right click on Personal and select: All Tasks – Advanced Operations – Create Custom Request.
* Select Custom Request and Proceed without enrollment policy and click Next.
* Leave it a No Template and PKCS #10.

* Expand Detail and click on Properties to edit the request.
* Enter a Friendly Name & Description as you like.
* Set the Common Name and DNS with your FQDN. The DNS will be the SAN included in our SSL Certificate.
* Expand “Key usage” and add “Digital signature” to the selected options, and verify that “Make these key usages critical” is checked.
* Expand “Extended Key Usage” and add “Server Authentication” and “Client Authentication” to the selected options.
* Expand Cryptographic Service provider and select “Microsoft Strong Cryptographic Provider (Signature)”.
* Expand Key Options and select your key size from the Key size drop-down menu. (Mostly 2048, 4096 or 8192 is used)
* Make sure the “Make private key exportable” is selected.

Now we can save the request we just made.
* On the Certificate Information screen, click Next.
* Enter a file name for your CSR (something like certname.req)
* Select “Base 64” as the File Format and Click Finish


#Step2

Log in to your Enterprise Root CA Server so we can issue the request.

* Open the command prompt as administrator and go to the folder where your certificate request is placed, you can sign your request with the following command.

certreq -submit -attrib “CertificateTemplate:webserver” certificate.req

* Go to your Certificate Authority and Issue the Pending certificate
* On the Issues Certificates page you can Export the Binary data.
* Choose “Binary Certificate” and “Save binary data to file”, It is now possible to save it as certificate.crt.


#Step3

Import the new Certificate to your Personal store and export it as .pfx with the Private Key so you can use it on other machines as well.



Information

For Key Usage we selected “Digital Signature”.
A digital signature is often used for entity authentication and data origin authentication with integrity.

For Extended Key Usage we selected “Server Authentication” and “Client Authentication”.
Server Certificates are used to identify a server.
Client certificates are used to identify a client to a respective user, which means authenticating the client to the server.




If you liked this post, learned some new things or this article helped you out please think about giving a one time donation at the Donation Page to keep the site online!