This guide allows you to create a multi-domain/unified communications certificate (UCC) for securing multiple domains under 1 certificate, you secure a primary domain name and up to 99 additional Subject Alternative Names (SANs) in a single certificate.
Download and install the latest stable OpenSSL windows executable from https://slproweb.com/products/Win32OpenSSL.html
Create req config file
Create or reuse req.conf file as per below with SAN names (do not include lines at top and bottom)
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
C = GB
ST = <state or county>
L = <city>
O = <company name>
OU = <company name>
CN = <externaldomainname1>
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
DNS.1 = externaldomainname2
DNS.2 = externaldomainname3
DNS.3 = externaldomainname4
DNS.4 = externaldomainname5
Generate CSR and Private Key
Run cmd as administrator
cd "C:\Program Files\OpenSSL-Win64\bin" openssl req -new -out ucc.csr -newkey rsa:2048 -nodes -sha256 -keyout ucc.key.temp -config C:\TEMP\req.conf
*This creates the CSR, private key from the req.conf file created above*
openssl req -noout -text -in ucc.csr
*Verify the CSR information is correct*
Verify Private Key
openssl rsa -in ucc.key.temp -check
*This will verify the private key, it should return an OK*
Use CSR on certificate authority to create a certificate file
Use CSR on third party certificate authority (GoDaddy/Digicert etc) with a Multiple Domain (UCC) SSL certificate or wildcard certificate that supports subdomains
Verify every domain via DNS, web page or email (DNS is creation of a TXT record in external domain name), download certificate file (.crt) and intermediate file.
Combine CRT and Private Key into PFX
Importing this crt file into IIS for example will not import the private key, you need to combine the private key (created earlier) and the downloaded crt file by the following command;
openssl pkcs12 -export -in C:\TEMP\shfghdsgfh32356.crt -inkey ucc.key.temp -out ucc.pfx
Create an export password then the PFX file should now be generated to import into IIS.
Using MMC > Add Snap-In > Certificates > Local Computer you can now import the PFX file into the Personal Store,you should see a key symbol on the certificate, if you do not see the key one of the steps above has been missed.
Finally, ensure that the intermediate certificate authority crt file that was also downloaded from the certificate authority is added to the the Intermediate Certification Authority > Certificates section of the certificates snap-in within MMC.
The key should now be visible with Server Certificates within IIS (May need to refresh) and can now be used within IIS HTTPS bindings.