Follow these steps:
- SSH to IMSVA with the root account.
- Create a backup of the OpenSSL configuration by running the following command.
cp /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl-ORIG
- Open the openssl.cnf file using a text editor. For example, if you are using the Vi text editor, run the following command.
vi /etc/pki/tls/openssl.cnf
- Look for the [ req ] section and remove “ #” from the start of the following line.
# req_extensions = v3_req #
- Under the [ req ] section, change the value of default_md to “sha256”.
default_md = sha256
- Look for [ v3_req ] and add the following lines.
subjectAltName = @alt_names
[alt_names]
DNS.1 = imsva02.gz.cncorlab.com
DNS.2 = imsva03.gz.cncorlab.com
#replace the dns name with your IMSVAs' FQDNs - Save the changes.
- Create a new private key by running the following command.
openssl genrsa -out imsva_key.pem 2048
- Generate the CSR by running the following command.
openssl req -new -out imsva.csr -key imsva_key.pem -config /etc/pki/tls/openssl.cnf
When prompted, answer the usual CSR questions.
- Confirm the information by running the following command.
openssl req -text -noout -in imsva.csr
You should see the primary Common Name and the SANs. As an example:
Certificate Request:
...
Requested Extensions:
...
X509v3 Subject Alternative Name:
DNS:imsva02.gz.cncorlab.com, DNS:imsva03.gz.cncorlab.com - Copy imsva.csr and imsva_key.pem out with WinSCP or similar tools. Submit CSR file imsva.csr to the third party CA, and request the signed certificates in PEM format.
- If your third party CA doesn't provide PEM format certificates for downloading, please refer to its FAQ for the procedure to convert the certificates to PEM format. For example, https://www.digicert.com/ssl-support/pem-ssl-creation.htm
Or you may refer to this article on Converting Certificated - OpenSSL.