Pharos EDI: How to create a certificate with Subject Alternate Names (SANs)

Goal

• Generate an SSL certificate that supports Subject Alternate Names (SANs)

Environment

• Pharos EDI Web Service

• Pharos Print Center

Generating a Certificate Request containing Subject Alternate Names

Use the attached form to submit your request for a SAN certificate to Pharos Systems Technical Support. Technical Support can provide a SAN certificate for both SHA-128 and SHA-256 environments, in either 1024 or 2048-bit length.

Part I. Configure OpenSSL to create a CSR that includes x509 V3 extensions and include a list of subject alternative names in the CSR.

1.  Open openssl.cnf.

2. Find the [req] section and add this line:

req_extensions = v3_req

3. Go to the [v3_req] section and ensure/edit it so that it looks like this:

[ v3_req ]# Extensions to add to a certificate requestbasicConstraints = CA:FALSEkeyUsage = nonRepudiation, digitalSignature, keyEnciphermentsubjectAltName = @alt_names

4. Add this section to the .cnf file:

[alt_names]DNS.1 = kb.example.comDNS.2 = helpdesk.example.comDNS.3 = systems.example.com

NOTE: You can assign as many "DNS.n" as you need. DNS.1 must be the actual server name for better platform support, but the others can be whatever is necessary for the environment.

5. Save the file and close it.

6. In a command prompt with appropriate permissions (OpenSSL may be installed to a folder that is protected), run the following command. Use the passphrase pharos-edi when prompted.

openssl req -new -out servername.csr -key PharosPrivateKey.pem -config openssl.cnf

Part II. Creating the Certificate and PFX Files.

1.  Edit go.bat and change (or create a new line, REMarking the other) the openssl command line to as follows. Make sure the modified openssl.cfg file is still in place and add the -extensions v3_req bit.

openssl ca -in "%CERT%" -config openssl.cnf -policy policy_anything -key pharos-edi -extensions v3_req -out outfile.pem -batch

2.  Drag the CSR created in Part I, Step 6 to Go.bat and create the certificate.

3.  Create a ".pfx" file. Run this command:

openssl pkcs12 -export -out servername.pfx -inkey PharosPrivateKey.pem -in servername.cer

Again, provide the passphrase pharos-edi for PharosPrivateKey.pem when prompted. You do not need to specify an Export Password. Just hit <Enter> and then again to verify the password.

Part III. Adding the Certificate to the Server.

1. Move the .PFX file to the server.

2. Launch IIS Manager.

3. Open "Server Certificates" and choose "Import..." from the Actions menu.

4. Browse to the .PFX file.

5. Installed, the new certificate can be bound to HTTP/443 (or whatever is in use at the site).