Wired Intelligent Edge

I'm creating a CSR request for a 5412 switch to be submitted to internal CA ( Microsoft )

I'm in doubt about how to add, if possible, a SAN field in the request.

This is because I first generate the CSR as per the reference using only the common name like below

crypto pki identity-profile 5412vsf subject common-name 5412vsf.company.com country US org COMPANY org-unit IT State XX

crypto pki create-csr certificate-name 5412vsf ta-profile Company_CA key-type rsa key-size 2048 usage all valid-start 07/05/2023 valid-end 07/04/2033

However when I connect via browser I get the "usual" error about the untrusted connection and the problem is 

This server couldn't prove that it's 5412vsf.company.com; its security certificate does not specify Subject Alternative Names. This may be caused by a misconfiguration or an attacker intercepting your connection.

We ran into this as well.  You need to generate the CSR, then modify it, then you can request a cert from your CA.

Refer to:

https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/add-san-to-secure-ldap-certificate#use-certreqexe-to-create-and-submit-a-certificate-request-that-includes-a-san

Our INF file looks like this:

[Extensions] 
2.5.29.17="{text}ipaddress=10.11.5.6&dns=SITE-2530P24G-1.internal.com&dns=SITE-2530P24G-1" 

then we run the .CMD file to merge and create the certificate.

I'm creating a CSR request for a 5412 switch to be submitted to internal CA ( Microsoft )

I'm in doubt about how to add, if possible, a SAN field in the request.

This is because I first generate the CSR as per the reference using only the common name like below

crypto pki identity-profile 5412vsf subject common-name 5412vsf.company.com country US org COMPANY org-unit IT State XX

crypto pki create-csr certificate-name 5412vsf ta-profile Company_CA key-type rsa key-size 2048 usage all valid-start 07/05/2023 valid-end 07/04/2033

However when I connect via browser I get the "usual" error about the untrusted connection and the problem is 

This server couldn't prove that it's 5412vsf.company.com; its security certificate does not specify Subject Alternative Names. This may be caused by a misconfiguration or an attacker intercepting your connection.

We ran into this as well.  You need to generate the CSR, then modify it, then you can request a cert from your CA.

Refer to:

https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/add-san-to-secure-ldap-certificate#use-certreqexe-to-create-and-submit-a-certificate-request-that-includes-a-san

Our INF file looks like this:

[Extensions] 
2.5.29.17="{text}ipaddress=10.11.5.6&dns=SITE-2530P24G-1.internal.com&dns=SITE-2530P24G-1" 

then we run the .CMD file to merge and create the certificate.

Original Message:
Sent: Jul 06, 2023 08:35 AM
From: Stefano Colombo
Subject: CSR creation for AOS switches

I'm creating a CSR request for a 5412 switch to be submitted to internal CA ( Microsoft )

I'm in doubt about how to add, if possible, a SAN field in the request.

This is because I first generate the CSR as per the reference using only the common name like below

crypto pki identity-profile 5412vsf subject common-name 5412vsf.company.com country US org COMPANY org-unit IT State XX

crypto pki create-csr certificate-name 5412vsf ta-profile Company_CA key-type rsa key-size 2048 usage all valid-start 07/05/2023 valid-end 07/04/2033

However when I connect via browser I get the "usual" error about the untrusted connection and the problem is 

This server couldn't prove that it's 5412vsf.company.com; its security certificate does not specify Subject Alternative Names. This may be caused by a misconfiguration or an attacker intercepting your connection.