There is a need to know how to create a simple, self-signed Subject Alternative Name(SAN) certificate for Symantec Messaging Gateway (SMG).
The following steps are provided for informational purposes only. If you experience difficulty in implementing these steps, please consult available OpenSSL documentation https://www.openssl.org/docs . Symantec support is not able to assist with troubleshooting any issues resulting from implementing these steps.
1. Configure OpenSSL – note the path might be different depending on the system used, e.g Cygwin=/usr/ssl/openssl.cnf
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
DNS.1 = mail1.example.com
DNS.2 = mail2.example.com
IP.1 = 192.168.1.1
IP.2 = 192.168.1.2
2. Generate Private key:
$ openssl genrsa -out private.key 4096
If you need to check the key just created:
$ openssl rsa -in privatey.key -check
3. Generate a CSR:
$ openssl req -new -out server.csr -key private.key -config /usr/lib/ssl/openssl.cnf
If you need to check the CSR just created:
$ openssl req -text -noout -verify -in server.csr
4. Sign the certificate (“self-signed”):
$ openssl x509 -req -days 3650 -in server.csr -signkey private.key -out server.crt -extensions v3_req -extfile /usr/lib/ssl/openssl.cnf
If you need to check the certificate just created:
$ openssl x509 -in server.crt -text –noout
5. Combine the certificate file with private key file.
In order to import certificate on SMG, create a new file which combines certificate with private key.
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
Note: Your certificates and key should be in PEM format. If somehow your files are in different format then openssl can also be used to convert to PEM.
Above steps were tested on Debian linux as well as Cygwin.