Creating a multi-domain (SAN) SSL certificate signing request
Procedure
- Use SSH to log in to the QRadar Console.
-
Create and save a sancert.conf configuration file containing the following
information:
[ req ] default_bits = 2048 # RSA key size encrypt_key = no # Protect private key default_md = sha256 # MD to use utf8 = yes # Input is UTF-8 string_mask = utf8only # Emit UTF-8 strings prompt = no # Prompt for DN distinguished_name = server_dn # DN template req_extensions = server_reqext # Desired extensions [ server_dn ] countryName = <country_or_region_code> # ISO 3166 stateOrProvinceName = <state_or_province> localityName = <city_or_locality> organizationName = <organization_name> organizationalUnitName = <organizational_unit_name> commonName = <common_name> # Should match a SAN under alt_names [ server_reqext ] basicConstraints = CA:FALSE keyUsage = critical,digitalSignature,keyEncipherment extendedKeyUsage = serverAuth subjectKeyIdentifier = hash subjectAltName = @alt_names [alt_names] DNS.1 = qradar.example.com #Example DNS.2 = console.example.com #Example IP.3 = 192.0.2.0 #Example
-
Generate a private key and public certificate signing request (CSR) pair by using the following
command:
openssl req -new -nodes -sha256 -out <csr_filename>.csr -config sancert.conf -keyout <privatekey_filename>.key
The CSR file is used to create the SSL certificate, with either an internal CA or commercial certificate authorities The key file is created in the current directory. Keep this file to use when you install the certificate.
-
If you want to verify the information in the CSR before you send it, type the following
command:
openssl req -noout -text -in <csr_filename>.csr
If incorrect information was entered, update the sancert.conf configuration file and repeat the previous step.
- Use the Secure File Transfer Protocol or another program to securely copy the CSR file to your computer.
-
Submit the CSR to your internal or commercial certificate authority for signing, according to
their instructions.
Note: The CSR is identified as a certificate in Apache format.