**Camelot wrote:**
> Ok, if you are aware about these risks, then the following syntax must be used:
> ```
> Submit-CertificateRequest <parameters> -Attribute "san:dns=www.example.com&dns=sip.example.com"
> ```
We did the following tests:
1. Submit-CertificateRequest -Path d:\temp\acertRequest.cer -CertificateAuthority $myCA -Attribute 'CertificateTemplate:TestServerInternalStandard','san:dns=testname1.infineon.com&dns=testname2.infineon.com'
In this case only the required by the CA Template was taken.
2. Submit-CertificateRequest -Path d:\temp\acertRequest.cer -CertificateAuthority $myCA -Attribute 'san:dns=testname1.infineon.com&dns=testname2.infineon.com','CertificateTemplate:TestServerInternalStandard'
In this case only the Sans were taken and not the Template which resulted in an "Requeststatus denied" as our CA requires a Templatename.
Do you have an idea what we got wrong? Our CA is hosted on an Win2008 R2 Server.
Thanks Andreas
Comments: 1) you don't need to move to Standlone CA. Instead, you should consider to create certificates by using out of band solutions. For example, do not use Lync installation, or IIS manager UI to generate certificate requests. Instead, consider to use certreq.exe (I'm still working on a PowerShell implementation) tool to create and install certificate requests with authenticated extensions (which will contain SAN if necessary). 2) Not all functions support Standalone CA. Commands that are related to key recovery (*-KRACertificate, KRA flags), certificate templates assigned to CA (*-CATemplate) and Get-CAExchangeCertificate, as Standalone CA do not support key archival and certificate templates. The rest functions do support Satandalone CAs.
> Ok, if you are aware about these risks, then the following syntax must be used:
> ```
> Submit-CertificateRequest <parameters> -Attribute "san:dns=www.example.com&dns=sip.example.com"
> ```
We did the following tests:
1. Submit-CertificateRequest -Path d:\temp\acertRequest.cer -CertificateAuthority $myCA -Attribute 'CertificateTemplate:TestServerInternalStandard','san:dns=testname1.infineon.com&dns=testname2.infineon.com'
In this case only the required by the CA Template was taken.
2. Submit-CertificateRequest -Path d:\temp\acertRequest.cer -CertificateAuthority $myCA -Attribute 'san:dns=testname1.infineon.com&dns=testname2.infineon.com','CertificateTemplate:TestServerInternalStandard'
In this case only the Sans were taken and not the Template which resulted in an "Requeststatus denied" as our CA requires a Templatename.
Do you have an idea what we got wrong? Our CA is hosted on an Win2008 R2 Server.
Thanks Andreas
Comments: 1) you don't need to move to Standlone CA. Instead, you should consider to create certificates by using out of band solutions. For example, do not use Lync installation, or IIS manager UI to generate certificate requests. Instead, consider to use certreq.exe (I'm still working on a PowerShell implementation) tool to create and install certificate requests with authenticated extensions (which will contain SAN if necessary). 2) Not all functions support Standalone CA. Commands that are related to key recovery (*-KRACertificate, KRA flags), certificate templates assigned to CA (*-CATemplate) and Get-CAExchangeCertificate, as Standalone CA do not support key archival and certificate templates. The rest functions do support Satandalone CAs.