All Collections
Knowledge Base
Endpoint and SaaS Apps
How To - Endpoint and SaaS Apps
How to create CSR for a SAN certificate
How to create CSR for a SAN certificate
Updated over a week ago

Overview

When you have to install a server certificate on multiple inSync servers, which include inSync master server, remote inSync storage node servers, and edge server, Druva recommends installing a SAN certificate which can be applicable to all of them.

This article provides the steps to create a Certificate Signing Request (CSR) for a SAN certificate using an OpenSSL tool.

Create a CSR for a SAN certificate

  1. Login to the server installed with the OpenSSL tool.

  2. Create a file named mysan.cnf with the following information at the location: C:\OpenSSL-WinXX\bin

    {code}
    [ req ]
    default_bits       = 2048
    distinguished_name = req_distinguished_name
    req_extensions     = req_ext
    [ req_distinguished_name ]
    countryName                 = Country Name (2 letter code)
    stateOrProvinceName         = State or Province Name (full name)
    localityName               = Locality Name (eg, city)
    organizationName           = Organization Name (eg, company)
    commonName                 = Common Name (e.g. server FQDN or YOUR name)
    [ req_ext ]
    subjectAltName = @alt_names
    [alt_names]
    DNS.1   = test.domain.com
    DNS.2   = test2.domain.com
    DNS.3   = test3.domain.com
    {code}

  3. Verify the server FQDN mentioned under alt_names, where alt_names section is the one you have to change for additional DNS.

  4. Open the command prompt as an administrator and change the directory to C:\OpenSSL-WinXX\bin.

  5. Generate the CSR and KEY file with this command.

    openssl req -out server.csr -newkey rsa:2048 -nodes -keyout server.key -config mysan.cnf

  6. Enter the details to complete the CSR. Common Name must be the FQDN of the inSync master server.

  7. Convert the server.key to RSA format using:

    openssl rsa -in server.key -out myserver.key

  8. You now have the myserver.key file in the required RSA format.
    Thus, the CSR and private key are created.

Verification

To verify the CSR for SAN:

  1. Open the command prompt as an administrator and change the directory to C:\OpenSSL-WinXX\bin and run:

    openssl req -noout -text -in server.csr

  2. Under Subject Alternative Name, the different DNS names must appear for which this CSR is valid.

    DNS:test.domain.com, DNS:test2.domain.com, DNS:test3.domain.com

Next steps:

Once you get the signed certificate, create inSyncServerSSL.key file using the signed SAN certificate and myserver.key. See How to set up and install a Trusted Certificate from a Certification Authority (CA) for reference.

See also

Using Microsoft IIS to generate CSR and Private Key

Related Articles
How to configure SSO for an inSync Cloud administrator using JumpCloud as IdP
How to find the TLS version used by the inSync Server
How to set up and install a Trusted Certificate from a Certification Authority (CA)
How to validate the integrity of the SSL Certificate
Using Microsoft IIS to generate CSR and Private Key
Did this answer your question?