Overview
When you have to install a server certificate on multiple inSync servers, which include inSync master server, remote inSync storage node servers, and edge server, Druva recommends installing a SAN certificate which can be applicable to all of them.
This article provides the steps to create a Certificate Signing Request (CSR) for a SAN certificate using an OpenSSL tool.
Create a CSR for a SAN certificate
Login to the server installed with the OpenSSL tool.
Create a file named mysan.cnf with the following information at the location: C:\OpenSSL-WinXX\bin
{code} [ req ] default_bits = 2048 distinguished_name = req_distinguished_name req_extensions = req_ext [ req_distinguished_name ] countryName = Country Name (2 letter code) stateOrProvinceName = State or Province Name (full name) localityName = Locality Name (eg, city) organizationName = Organization Name (eg, company) commonName = Common Name (e.g. server FQDN or YOUR name) [ req_ext ] subjectAltName = @alt_names [alt_names] DNS.1 = test.domain.com DNS.2 = test2.domain.com DNS.3 = test3.domain.com {code}
Verify the server FQDN mentioned under alt_names, where alt_names section is the one you have to change for additional DNS.
Open the command prompt as an administrator and change the directory to C:\OpenSSL-WinXX\bin.
Generate the CSR and KEY file with this command.
openssl req -out server.csr -newkey rsa:2048 -nodes -keyout server.key -config mysan.cnf
Enter the details to complete the CSR. Common Name must be the FQDN of the inSync master server.
Convert the server.key to RSA format using:
openssl rsa -in server.key -out myserver.key
You now have the myserver.key file in the required RSA format.
Thus, the CSR and private key are created.
Verification
To verify the CSR for SAN:
Open the command prompt as an administrator and change the directory to C:\OpenSSL-WinXX\bin and run:
openssl req -noout -text -in server.csrUnder Subject Alternative Name, the different DNS names must appear for which this CSR is valid.
DNS:test.domain.com, DNS:test2.domain.com, DNS:test3.domain.com
Next steps:
Once you get the signed certificate, create inSyncServerSSL.key file using the signed SAN certificate and myserver.key. See How to set up and install a Trusted Certificate from a Certification Authority (CA) for reference.