03-05-2014 09:34 AM
We have 6 C670 appliances all connected in cluster. As of now, we have installed individual SSL certificates installed on each appliance. We are contemplating on the idea of going for one SAN certificate instead of inidivdual certificate. Can this be done? How can we configure each IronPort to refer to one certificate?
03-05-2014 09:36 AM
You can use a SAN cert. You have to install it on each box. (which means you need the private key too...)
Check with your cert provider on the license for that cert. Some of them limit the number of machines you can install the cert on.
03-05-2014 09:53 AM
Thanks Ken. But wouldn't that carry the same hostname for all the appliances then? I'm not well informed about how SAN certificate works, but, do we need to create individual CSR files from each appliance to obtain one SAN cert and then install that one SAN cert for each certificate profile?
03-05-2014 10:08 AM
No, as that's the point of a SAN cert (SAN stands for "Subject Alternative Name") The SAN cert can have many different names, and they don't have to be related. Its sort of like a wildcard cert (eg. *.domain.com), but instead of everything having to end in "domain.com", it can have any name you want... so you can have "box1.domain1.com" "box2.domain2.com", etc...
No, you don't generate the CSR on each box... I do it once on a Windows box, export the cert and private key, split into its pieces using OpenSSL and upload it to as many boxes as I need to... I use one wildcard cert since I use one mail handler on one domain for all of my domains...
Ken
07-10-2024 02:21 AM
Yes, you can use a single SAN (Subject Alternative Name) certificate for all your C670 appliances instead of individual certificates. This simplifies management and can reduce costs. First, obtain a SAN certificate from a trusted CA that includes all the domain names of your appliances or you can get somewhere else like I have one from cheapsslweb. Then, prepare the SAN certificate and its private key. On each C670 appliance, upload the SAN certificate and configure the appliance to use it. Ensure that the certificate includes all necessary domains and is properly installed on each device. This allows all appliances to refer to the same certificate for secure communications.
07-10-2024 04:36 AM
We use OpenSSL to create a CSR (Certficate Signing Request). It will enable you to create one certifcate for all nodes and multiple interfaces/listeners.
Create a config file and save it as cert_config.cnf
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[ req_distinguished_name ]
countryName = ***
stateOrProvinceName = ***
localityName = ***
organizationName = ***
organizationalUnitName = ***
commonName = Common Name (FQDN)
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = fqdn same as cn (commonName)
DNS.2 = additional dns 1 (if needed)
DNS.3 = additional dns 2 (if needed)
DNS.4 = ……..
IP.1 = <IPaddress>
IP.2 =
Create CSR:
openssl req -out cert_req.csr -newkey rsa:2048 -nodes -keyout cert_private.key -config cert_config.cnf
Create certficate based on PEM with public and private key.
openssl pkcs12 -export -out cert_archive.pfx -inkey cert_private.key -in cert_signed.cer
Save the certficate at cluster level config. You I'll be able to use this certificate on all cluster nodes on all config levels (machine/group/cluster).
Succes!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide