How to create a generic certificate to maintain multiple DSAs on multiple hosts using SAN and signed by your choice of CA (Certificate Authority) to avoid self-signed certificate generated by Symantec Directory.

Assumption:

** One of the DSA running on a system (out of possible multiple DSAs on a system as well as matching pairs of multi-write peer DSAs, including router DSAs) is called 'testDSA1'.
** The CSR for generic certificate is called 'genCERT1'.

STEPS:

1. Generate the generic CSR with SAN using following command line 'dxcertgen' tool. Example below shows multiple DNS can be specified, if that is what required.

dxcertgen -e "SAN=DNS:my_dns1.com,DNS:my_dns2.com" -g genCERT1 certreq

This will result into genCERT1.csr and genCERT1.key files.

2. Send this genCERT1.csr off to CA for signing and receive everything back from them. 

e.g. you will get back the signed cert (for example, genCERT1.cer) along with the root CA file. 

3. Copy the .key file (generated in step 1) to match the actual DSA name (example above shows it being 'testDSA1').

cp genCERT1.key testDSA1.key

4. Using 'certmerge' option of 'dxcertgen' command line tool, merge the received cert (genCERT1.cer) mentioning the DSA name (testDSA1) which will also merge the key (testDSA1.key) and will be placed under $DXHOME/config/ssld/personalities folder.

dxcertgen -D testDSA1 -n genCERT1.cer certmerge

5. Using 'importca' option of 'dxcertgen' command line tool, import the root CA that was received from signing authority in step (2). If there are any intermediate certs, that can also be imported at this stage. This will update the existing 'trusted.pem' file that Symantec Directory uses as a trusted root CA under $DXHOME/config/ssld folder.

dxcertgen -n <received_root_CA>.cer importca
dxcertgen -n <your_intermediate_cert>.cer importca
dxcertgen -n <your_root_CA>.cer importca

6. Move/rename the 'testDSA1.pem' file generated in step (5) to 'genCERT1.pem'

mv $DXHOME/config/ssld/personalities/testDSA1.pem $DXHOME/config/ssld/personalities/genCERT1.pem

7. Modify the SSLD .dxc file under $DXHOME/config/ssld folder to use 'cert-file' as the default is set to 'cert-dir' that pointes to entire 'personalities' folder.

cert-dir = "config/ssld/personalities"
TO
cert-file= "/config/ssld/personalities/genCERT1.pem"

8. Restart ALL DSAs and test SSL functionality.

9. Later on copy this 'genCERT1.pem' and 'trusted.pem' from this host to all other hosts along with making SSLD .dxc file changes on those hosts from 'cert-dir' to 'cert-file'.