Question : Certreq in Windows 2003 Server (Certificate Authority)

I am trying to create a request file using Certreq in Windows 2003 Server. Request is getting created fine.

But when trying to Submit this request, it is showing The DNS name is unavailable and cannot be added to the Subject Alternate name. 0x8009480f (-2146875377)Denied by Policy Module" message.

Below is how my inf file looks like.

;----------------- request.inf -----------------

[Version]

Signature="$Windows NT$

[NewRequest]

Subject = "CN="
KeySpec = 1
KeyLength = 1024
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication

[RequestAttributes]
CertificateAttributes = DoaminControllerAuthentication
SAN=dns=abc.xyz.com&dns=ldap.xyz.com

;-----------------------------------------------

Kindly suggest, Thanks!

Answer : Certreq in Windows 2003 Server (Certificate Authority)

Also, the .inf example is an old one - if you are trying to re-create the DCA template, you may want a few extra attributes under the EKU extension field.  These aren't necessarily required, but might make life a little easier for you down the road.

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
OID=1.3.6.1.5.5.7.3.2 ; Client Authentication
OID=1.3.6.1.4.1.311.20.2.2 ; Smart Card Logon

If you don't use smartcards you may someday, it doesn't hurt to have the extra attributes set up now so you don't get confused down the road.  This is included in the default DCA template.