Creating a multi-domain (SAN) SSL certificate signing request

Procedure

  1. Use SSH to log in to the QRadar Console.
  2. Create and save a sancert.conf configuration file containing the following information:
    [ req ]
    default_bits            = 2048  # RSA key size
    encrypt_key             = no  # Protect private key
    default_md              = sha256  # MD to use
    utf8                    = yes  # Input is UTF-8
    string_mask             = utf8only  # Emit UTF-8 strings
    prompt                  = no  # Prompt for DN
    distinguished_name      = server_dn  # DN template
    req_extensions          = server_reqext  # Desired extensions
    
    [ server_dn ]
    countryName             = <country_or_region_code>  # ISO 3166
    stateOrProvinceName     = <state_or_province>
    localityName            = <city_or_locality>
    organizationName        = <organization_name>
    organizationalUnitName  = <organizational_unit_name>
    commonName              = <common_name>  # Should match a SAN under alt_names
    
    [ server_reqext ]
    basicConstraints        = CA:FALSE
    keyUsage                = critical,digitalSignature,keyEncipherment
    extendedKeyUsage        = serverAuth
    subjectKeyIdentifier    = hash
    subjectAltName          = @alt_names
    
    [alt_names]
    DNS.1			= qradar.example.com  #Example
    DNS.2			= console.example.com  #Example
    IP.3			 = 192.0.2.0  #Example
  3. Generate a private key and public certificate signing request (CSR) pair by using the following command:
    openssl req -new -nodes -sha256 -out <csr_filename>.csr -config sancert.conf 
    -keyout <privatekey_filename>.key

    The CSR file is used to create the SSL certificate, with either an internal CA or commercial certificate authorities The key file is created in the current directory. Keep this file to use when you install the certificate.

  4. If you want to verify the information in the CSR before you send it, type the following command:
    openssl req -noout -text -in <csr_filename>.csr

    If incorrect information was entered, update the sancert.conf configuration file and repeat the previous step.

  5. Use the Secure File Transfer Protocol or another program to securely copy the CSR file to your computer.
  6. Submit the CSR to your internal or commercial certificate authority for signing, according to their instructions.
    Note: The CSR is identified as a certificate in Apache format.