New Post: Add Subject Alternate Names to Cert Request

Camelot wrote:

Consider to include SAN as extension and not as attribute: http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=20
When passing SANs as an attribute, it may lead to a security risk, because SAN attribute requires special flag on CA.

Yes we are aware of this risk, BUT we have also NON-Microsoft/Microsoft (like Lync) applications which cannot handle SANS on request level. So this "disliked" feature is still required.

When enabling this flag, any requster can pass any SAN which will be automatically added to certificate without previous approval (and even if subject is constructed automatically). Therefore I would recommend to premoderate all certificate templates that accept subject from request. And, of course, include SAN in the extension section. If you are using INF file to generate request, the syntax of the INF file would contain:

[Extensions]  
2.5.29.17 = "{text}" 
_continue_ = "dns=www01.fabrikam.com&"
_continue_ = "dns=www02.fabrikam.com&"

So at the end my question still remains, if I can add the SANs for a certificate request via the -Attribute Parameter of Submit-CertificateRequest?

Thanks Andreas