Creating a multi-domain (SAN) SSL certificate signing request

Procedure

  1. Use SSH to log in to the QRadar® Console.
  2. Create and save a sancert.conf configuration file containing the following information: 
    [ req ]
default_bits            = 2048  # RSA key size
encrypt_key             = no  # Protect private key
default_md              = sha256  # MD to use
utf8                    = yes  # Input is UTF-8
string_mask             = utf8only  # Emit UTF-8 strings
prompt                  = no  # Prompt for DN
distinguished_name      = server_dn  # DN template
req_extensions          = server_reqext  # Desired extensions

[ server_dn ]
countryName             = <country_or_region_code>  # ISO 3166
stateOrProvinceName     = <state_or_province>
localityName            = <city_or_locality>
organizationName        = <organization_name>
organizationalUnitName  = <organizational_unit_name>
commonName              = <common_name>  # Should match a SAN under alt_names

[ server_reqext ]
basicConstraints        = CA:FALSE
keyUsage                = critical,digitalSignature,keyEncipherment
extendedKeyUsage        = serverAuth
subjectKeyIdentifier    = hash
subjectAltName          = @alt_names

[alt_names]
DNS.1			= qradar.example.com  #Example
DNS.2			= console.example.com  #Example
IP.3			 = 192.0.2.0  #Example
  3. Generate a private key and public certificate signing request (CSR) pair by using the following command: 
    openssl req -new -nodes -sha256 -out <csr_filename>.csr -config sancert.conf 
-keyout <privatekey_filename>.key

    The CSR file is used to create the SSL certificate, with either an internal CA or commercial certificate authorities The key file is created in the current directory. Keep this file to use when you install the certificate.

  4. If you want to verify the information in the CSR before you send it, type the following command: 
    openssl req -noout -text -in <csr_filename>.csr

    If incorrect information was entered, update the sancert.conf configuration file and repeat the previous step.

  5. Use the Secure File Transfer Protocol or another program to securely copy the CSR file to your computer.
  6. Submit the CSR to your internal or commercial certificate authority for signing, according to their instructions.
    Note: The CSR is identified as a certificate in Apache format.