How to create CSR for a SAN certificate
Overview
When you have to install a server certificate on multiple inSync servers, which include inSync master server, remote inSync storage node servers, and edge server, Druva recommends installing a SAN certificate which can be applicable to all of them.
This article provides the steps to create a Certificate Signing Request (CSR) for a SAN certificate using an OpenSSL tool.
Create a CSR for a SAN certificate
- Login to the server installed with the OpenSSL tool.
- Create a file named mysan.cnf with the following information at the location: C:\OpenSSL-WinXX\bin
{code}
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
organizationName = Organization Name (eg, company)
commonName = Common Name (e.g. server FQDN or YOUR name)
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = test.domain.com
DNS.2 = test2.domain.com
DNS.3 = test3.domain.com
{code}
- Verify the server FQDN mentioned under alt_names, where alt_names section is the one you have to change for additional DNS.
- Open the command prompt as an administrator and change the directory to C:\OpenSSL-WinXX\bin.
- Generate the CSR and KEY file with this command.
openssl req -out server.csr -newkey rsa:2048 -nodes -keyout server.key -config mysan.cnf
- Enter the details to complete the CSR. Common Name must be the FQDN of the inSync master server.
- Convert the server.key to RSA format using:
openssl rsa -in server.key -out myserver.key
- You now have the myserver.key file in the required RSA format.
Thus, the CSR and private key are created.
Verification
To verify the CSR for SAN:
- Open the command prompt as an administrator and change the directory to C:\OpenSSL-WinXX\bin and run:
openssl req -noout -text -in server.csr - Under Subject Alternative Name, the different DNS names must appear for which this CSR is valid.
DNS:test.domain.com, DNS:test2.domain.com, DNS:test3.domain.com
Next steps:
Once you get the signed certificate, create inSyncServerSSL.key file using the signed SAN certificate and myserver.key. See How to set up and install a Trusted Certificate from a Certification Authority (CA) for reference.