Skip to main content
Druva Documentation

How to create CSR for a SAN certificate

 

Overview

When you have to install a server certificate on multiple inSync servers, which include inSync master server, remote inSync storage node servers, and edge server, Druva recommends installing a SAN certificate which can be applicable to all of them.

This article provides the steps to create a Certificate Signing Request (CSR)  for a SAN certificate using an OpenSSL tool.

Create a CSR for a SAN certificate

  1. Login to the server installed with the OpenSSL tool.
  2. Create a file named mysan.cnf with the following information at the location:  C:\OpenSSL-WinXX\bin

    {code}
    [ req ]
    default_bits       = 2048
    distinguished_name = req_distinguished_name
    req_extensions     = req_ext
    [ req_distinguished_name ]
    countryName                 = Country Name (2 letter code)
    stateOrProvinceName         = State or Province Name (full name)
    localityName               = Locality Name (eg, city)
    organizationName           = Organization Name (eg, company)
    commonName                 = Common Name (e.g. server FQDN or YOUR name)
    [ req_ext ]
    subjectAltName = @alt_names
    [alt_names]
    DNS.1   = test.domain.com
    DNS.2   = test2.domain.com
    DNS.3   = test3.domain.com
    {code}


     
  3. Verify the server FQDN mentioned under alt_names, where alt_names section is the one you have to change for additional DNS.
  4. Open the command prompt as an administrator and change the directory to C:\OpenSSL-WinXX\bin.
  5. Generate the CSR and KEY file with this command.

    openssl req -out server.csr -newkey rsa:2048 -nodes -keyout server.key -config mysan.cnf
  6. Enter the details to complete the CSR. Common Name must be the FQDN of the inSync master server.
  7. Convert the server.key to RSA format using:

    openssl rsa -in server.key -out myserver.key
  8. You now have the myserver.key file in the required RSA format. 
    Thus, the CSR and private key are created.

Verification

To verify the CSR for SAN:

  1. Open the command prompt as an administrator and change the directory to C:\OpenSSL-WinXX\bin and run:

    openssl req -noout -text -in server.csr
  2. Under Subject Alternative Name, the different DNS names must appear for which this CSR is valid.

    DNS:test.domain.com, DNS:test2.domain.com, DNS:test3.domain.com

Next steps:

Once you get the signed certificate, create inSyncServerSSL.key file using the signed SAN certificate and myserver.key. See How to set up and install a Trusted Certificate from a Certification Authority (CA) for reference.

  • Was this article helpful?