ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Install Certificate Authority signed certificates without a generated Certificate Signing Request

book

Article ID: 153938

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

  • Install certificates on Symantec Messaging Gateway (SMG) that were originally created or requested on a different host.
  • Install either Subject Alternative Name (SAN) or wildcard certificates without a generated Certificate Signing Request (CSR) on SMG.

Cause

SMG will not install a certificate without either:

  • the private key included in the PEM file
  • a CSR that already exists in the SMG

Resolution

Notice: These instructions are provided as a service to our customers. Symantec Enterprise Support will not provide assistance to convert certificate formats by phone, email, or chat. For more assistance, please contact your certificate authority.

 

Chaining your certificate and original private key (no passphrase used to generate certificate)

  1. Create an empty text file.
  2. Copy the contents of your certificate and paste into the new file.
  3. Copy the contents of any intermediate certs and paste into the file after the certificate (if needed).
  4. Copy the contents of your private key and paste into the new file after the certificate.
  5. Save the new file locally (e.g. certandprivatekey.pem)
  6. Import into the SMG.

Verify the combined PEM file is structured similar to this:

-----BEGIN CERTIFICATE-----
<ASCII code for certificate>
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
<ASCII code for key>
-----END RSA PRIVATE KEY-----

Chaining your certificate and original private key (passphrase used to generate certificate)

To modify the certificate import file, please have:

  • Certificate file
  • Original private key
  • OpenSSL (https://www.openssl.org if you need a copy)
  • Passphrase used to generate the key

To modify the certificate:

  1. Use OpenSSL to remove the passphrase from the private key using the following command:
    • openssl rsa -in private.key -out key-nopass.key
  2. Enter the original passphrase used to generate the certificate when prompted.
  3. Create a new text file.
  4. Copy the certificate into the new file.
  5. Copy the contents of any intermediate certs and paste into the file after the certificate (if needed).
  6. Copy the contents of your private key and paste into the new file after the certificate.
  7. Copy the contents of the output key into the new file under the original private key.
  8. Save the new file locally (e.g. certwithprivatenopass.pem).
  9. Import the file into the Control Center.

The combined PEM file should be structured like this:

-----BEGIN CERTIFICATE-----
<ASCII code for certificate>
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
<ASCII code for key without passphrase>
-----END RSA PRIVATE KEY-----

Erratta

The original private key should remain secure. You may want to delete the version without the passphrase when you complete these steps, and store the original in a safe place.