search cancel

How to create a Subject Alternative Name certificate for Symantec Messaging Gateway

book

Article ID: 161514

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

There is a need to know how to create a simple, self-signed Subject Alternative Name(SAN) certificate for Symantec Messaging Gateway (SMG).

Resolution

The following steps are provided for informational purposes only. If you experience difficulty in implementing these steps, please consult available OpenSSL documentation https://www.openssl.org/docs . Symantec support is not able to assist with troubleshooting any issues resulting from implementing these steps.

 

1.  Configure OpenSSL note the path might be different depending on the system used, e.g Cygwin=/usr/ssl/openssl.cnf

 vi /usr/lib/ssl/openssl.cnf

 [req]

distinguished_name = req_distinguished_name

req_extensions = v3_req

 

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

subjectAltName = @alt_names

 

[alt_names]

DNS.1 = mail1.example.com

DNS.2 = mail2.example.com

IP.1 = 192.168.1.1

IP.2 = 192.168.1.2

 

 

2. Generate Private key:

$ openssl genrsa -out private.key 4096

 

If you need to check the key just created:

$ openssl rsa -in privatey.key -check

 

 

3. Generate a CSR:

$ openssl req -new -out server.csr  -key private.key -config /usr/lib/ssl/openssl.cnf

 

If you need to check the CSR just created:

$ openssl req -text -noout -verify -in server.csr

 

 

4. Sign the certificate (“self-signed”):

$ openssl x509 -req -days 3650 -in server.csr -signkey private.key  -out server.crt  -extensions v3_req -extfile /usr/lib/ssl/openssl.cnf

 

If you need to check the certificate just created:

$ openssl x509 -in server.crt -text –noout

 

 

5. Combine the certificate file with private key file.

In order to import certificate on SMG, create a new file which combines certificate with private key.

-----BEGIN CERTIFICATE-----

[…]

-----END CERTIFICATE-----

-----BEGIN RSA PRIVATE KEY-----

[…]

-----END RSA PRIVATE KEY-----

 

 


Note: Your certificates and key should be in PEM format. If somehow your files are in different format then openssl can also be used to convert to PEM.

Above steps were tested on Debian linux as well as Cygwin.

 

 

 

Attachments

server.csr get_app
san_domain_com.crt get_app
private.key get_app
crt_private key.pem get_app