Can we use SAN certificate for a cluster of Ironport ESAs?

Chandan Visweswara · ‎03-05-2014

We have 6 C670 appliances all connected in cluster. As of now, we have installed individual SSL certificates installed on each appliance. We are contemplating on the idea of going for one SAN certificate instead of inidivdual certificate. Can this be done? How can we configure each IronPort to refer to one certificate?

Ken Stieers · ‎03-05-2014

You can use a SAN cert. You have to install it on each box. (which means you need the private key too...)

Check with your cert provider on the license for that cert. Some of them limit the number of machines you can install the cert on.

Chandan Visweswara · ‎03-05-2014

Thanks Ken. But wouldn't that carry the same hostname for all the appliances then? I'm not well informed about how SAN certificate works, but, do we need to create individual CSR files from each appliance to obtain one SAN cert and then install that one SAN cert for each certificate profile?

Ken Stieers · ‎03-05-2014

No, as that's the point of a SAN cert (SAN stands for "Subject Alternative Name") The SAN cert can have many different names, and they don't have to be related. Its sort of like a wildcard cert (eg. *.domain.com), but instead of everything having to end in "domain.com", it can have any name you want... so you can have "box1.domain1.com" "box2.domain2.com", etc...

No, you don't generate the CSR on each box... I do it once on a Windows box, export the cert and private key, split into its pieces using OpenSSL and upload it to as many boxes as I need to... I use one wildcard cert since I use one mail handler on one domain for all of my domains...

Ken

mannsisodiya · ‎07-10-2024

Yes, you can use a single SAN (Subject Alternative Name) certificate for all your C670 appliances instead of individual certificates. This simplifies management and can reduce costs. First, obtain a SAN certificate from a trusted CA that includes all the domain names of your appliances or you can get somewhere else like I have one from cheapsslweb. Then, prepare the SAN certificate and its private key. On each C670 appliance, upload the SAN certificate and configure the appliance to use it. Ensure that the certificate includes all necessary domains and is properly installed on each device. This allows all appliances to refer to the same certificate for secure communications.

Auteri · ‎07-10-2024

We use OpenSSL to create a CSR (Certficate Signing Request). It will enable you to create one certifcate for all nodes and multiple interfaces/listeners.

Create a config file and save it as cert_config.cnf

[ req ]

default_bits = 4096

distinguished_name = req_distinguished_name

req_extensions  = req_ext

prompt = no

[ req_distinguished_name ]

countryName = ***

stateOrProvinceName = ***

localityName = ***

organizationName = ***

organizationalUnitName = ***

commonName = Common Name (FQDN)

[ req_ext ]

subjectAltName = @alt_names

[ alt_names ]

DNS.1 = fqdn same as cn (commonName)

DNS.2 = additional dns 1 (if needed)

DNS.3 = additional dns 2 (if needed)

DNS.4 = ……..
IP.1 = <IPaddress>
IP.2 =

Create CSR:

openssl req -out cert_req.csr -newkey rsa:2048 -nodes -keyout cert_private.key -config cert_config.cnf

Create certficate based on PEM with public and private key.

openssl pkcs12 -export -out cert_archive.pfx -inkey cert_private.key -in cert_signed.cer

Save the certficate at cluster level config. You I'll be able to use this certificate on all cluster nodes on all config levels (machine/group/cluster).

Succes!