ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

How to create a Subject Alternative Name certificate for Symantec Messaging Gateway


Article ID: 161514


Updated On:


Messaging Gateway


There is a need to know how to create a simple, self-signed Subject Alternative Name(SAN) certificate for Symantec Messaging Gateway (SMG).


The following steps are provided for informational purposes only. If you experience difficulty in implementing these steps, please consult available OpenSSL documentation . Symantec support is not able to assist with troubleshooting any issues resulting from implementing these steps.


1.  Configure OpenSSL note the path might be different depending on the system used, e.g Cygwin=/usr/ssl/openssl.cnf

 vi /usr/lib/ssl/openssl.cnf


distinguished_name = req_distinguished_name

req_extensions = v3_req


[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

subjectAltName = @alt_names



DNS.1 =

DNS.2 =

IP.1 =

IP.2 =



2. Generate Private key:

$ openssl genrsa -out private.key 4096


If you need to check the key just created:

$ openssl rsa -in privatey.key -check



3. Generate a CSR:

$ openssl req -new -out server.csr  -key private.key -config /usr/lib/ssl/openssl.cnf


If you need to check the CSR just created:

$ openssl req -text -noout -verify -in server.csr



4. Sign the certificate (“self-signed”):

$ openssl x509 -req -days 3650 -in server.csr -signkey private.key  -out server.crt  -extensions v3_req -extfile /usr/lib/ssl/openssl.cnf


If you need to check the certificate just created:

$ openssl x509 -in server.crt -text –noout



5. Combine the certificate file with private key file.

In order to import certificate on SMG, create a new file which combines certificate with private key.









Note: Your certificates and key should be in PEM format. If somehow your files are in different format then openssl can also be used to convert to PEM.

Above steps were tested on Debian linux as well as Cygwin.





server.csr get_app
san_domain_com.crt get_app
private.key get_app
crt_private key.pem get_app