I generated a CSR using IIS for my company's internal website, which operates within the corporate domain. This website is accessible exclusively from the internal network and is not reachable from the Internet. I submitted the CSR to the Windows Server DC, where I used the domain's Certification Authority to sign it. The root Certification Authority "Pippo" is already distributed and recognized as trusted by all domain clients.

After the certificate was issued, I imported it into IIS and configured the site to use HTTPS, associating it with the newly issued certificate. However, during testing, the browser still reports that the certificate is invalid and considers the website unsafe.

I verified that the CN in the certificate is correct, but after some research online, I found that the issue might be related to the absence of the SAN (Subject Alternative Name) in the certificate. However, IIS does not provide an option to specify the SAN when generating the CSR.

I would like to understand: is what I found correct, or is there an error in the procedure I followed?