Adding a Subject Alternative Name Field to an Existing Certificate

By s31064 ·
We're using a Windows Server 2003 CA to provide certs for our VPN users, and it's been working well. The decision was just made to allow our iPad and iPhone users access to the VPN, however this apparently requires an additional Subject Alternative Names field to be added to the server's cert. This doesn't appear to be too hard (certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2). My question is, will adding this field affect any of the other systems that are already using the VPN? I don't think it should, but I need to be sure before we make any changes to the existing infrastructure.

From the Apple iPhone OS Enterprise Deployment Guide:

"The server identity certificate must contain the server

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

I could be wrong but

by robo_dev In reply to Adding a Subject Alternat ...

If you change something in a certificate, it's no longer the same certificate, right?

Not sure how the CA handles re-issuing the cert....also I think this can open a security hole and/or break OWA.

"Microsoft recommends that you never enable SAN extension support on your enterprise root or enterprise subordinate CAs. If you enable this functionality, it must be on a standalone CA that's dedicated to issuing SAN certificates; on a standalone CA, certificate requests are held in a pending state until they can be reviewed and approved by a certificate manager. For security reasons, you don't want one of your enterprise CAs to automatically issue SAN certificates. The use of user-defined SAN extensions can increase the risk of impersonation attacks because it allows users to specify arbitrary names in their certificate requests. "

Cisco makes a nice VPN client for IOS, btw :)

Related Discussions

Related Forums