Overview

When you have to install a server certificate on multiple inSync servers, which include inSync master server, remote inSync storage node servers, and edge server, Druva recommends installing a SAN certificate which can be applicable to all of them.

This article provides the steps to create a Certificate Signing Request (CSR)  for a SAN certificate using an OpenSSL tool.

Create a CSR for a SAN certificate

1. Login to the server installed with the OpenSSL tool.
2. Create a file named mysan.cnf with the following information at the location:  C:\OpenSSL-WinXX\bin
   
   {code}
[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext
[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
stateOrProvinceName         = State or Province Name (full name)
localityName               = Locality Name (eg, city)
organizationName           = Organization Name (eg, company)
commonName                 = Common Name (e.g. server FQDN or YOUR name)
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1   = test.domain.com
DNS.2   = test2.domain.com
DNS.3   = test3.domain.com
{code}
   
    
3. Verify the server FQDN mentioned under alt_names, where alt_names section is the one you have to change for additional DNS.
4. Open the command prompt as an administrator and change the directory to C:\OpenSSL-WinXX\bin.
5. Generate the CSR and KEY file with this command.
   
   openssl req -out server.csr -newkey rsa:2048 -nodes -keyout server.key -config mysan.cnf
6. Enter the details to complete the CSR. Common Name must be the FQDN of the inSync master server.
7. Convert the server.key to RSA format using:
   
   openssl rsa -in server.key -out myserver.key
8. You now have the myserver.key file in the required RSA format. 
   Thus, the CSR and private key are created.