Creating a Certificate Signing Request with the Subject Alternative Name extension

book

Article ID: 169420

calendar_today

Updated On:

Products

Director Management Center SSL Visibility Appliance Software ProxyAV Software - AVOS Malware Analysis Software - MA Reporter PacketShaper S-Series Content Analysis Software - CA Advanced Secure Gateway Software - ASG CacheFlow Appliance Software ProxySG Software - SGOS

Issue/Introduction

You want to create a Certificate Signing Request (CSR) with the Subject Alternative Name (SAN) extension included in ProxySG or Advanced Secure Gateway (ASG).

Resolution

The following solution details steps to create a CSR with the SAN extension using a Microsoft web server and on UNIX or Linux systems.

The management console or CLI currently does not provide an option to generate a CSR that includes the SAN extension.

The steps listed therefore only apply in the following situations:

  • Where the ProxySG or ASG acts as a reverse-proxy, and the CSR is generated on the web server behind the ProxySG or ASG.
  • If the certificate-signing tool used to sign a CSR provides for the addition of the SubjectAltName extension, where a CSR is submitted on behalf of the ProxySG or ASG. For example, for the purposes of creating a keyring that is used in the HTTPS management-console.

Disclaimer:

If help is needed using Microsoft Server for this task, contact Microsoft Support.

Using a Microsoft Server

  1. Since the default web server certificate template populates the Subject Name data in the certificate from the fields included in the CSR, a new certificate template must first be created. To create the new template, right-click the default template in the list from Active Directory Certificate Services console, and click Duplicate. Here is an example of a modified template:
    User-added image
  2. Once the template has been created and saved, a certificate for the web server must be created using the MMC snap-in. Note that in this instance, the snap-in must be added to the default console under the Local Computer account:
    User-added image
  3. Once the MMC is loaded, right-click the Personal container, then All Tasks > Request New Certificate > Next > Next, which should present you with the Certificate Enrollment dialog window:
    User-added image
  4. Select the corresponding box for the new template created earlier, click Details > Properties.  This displays the Certificate Properties dialog window:
    User-added image
  5. After filling out a name and description, navigate to the Subject tab, select DNS from the Alternative name drop-down, and enter a relevant hostname for the website in the Value field:
    User-added image

    User-added image
  6. Click Apply, and then fill out or select all other relevant options for the certificate in the remaining tabs (your exact requirements may vary). Details on exporting the certificate and associated private-keys are documented.

Using a Linux server with OpenSSL

The following is an example which should work in the majority of configurations:

$ openssl req -new -sha256 -key domain.key -subj "/C=US/ST=CA/O=Acme, Inc./CN=example.com" -reqexts SAN -extensions SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com")) -out domain.csr

Note: The above command should be entered as a single line


 

Attachments