Question:
A CSR (Certificate Signing Request) generated from the AKIPS GUI doesn’t allow the inclusion of a SAN (Subject Alternate Name) field, which is required by modern browsers.
Answer:
It is possible to generate a CSR from the AKIPS CLI using openssl, though it’s also possible to generate a CSR for AKIPS from an external device. You will need to include the private key along with the signed certificate when it is imported into AKIPS 'Admin' -> 'General' -> 'SSL Settings'.
1. SSH to your AKIPS Server:
ssh akips@<your-AKIPS-Server>
2. Change to the ‘etc’ directory:
cd etc
3. Create the CSR. As part of this process, a private key (privatekey.key) will be created, which will need to be added when the signed certificated is imported into AKIPS. The common name (CN) needs to match the SAN that you specify:
openssl req -newkey rsa:2048 -nodes -keyout privatekey.key -out akips.csr -subj "/CN=akips.example.com" -addext "subjectAltName=DNS:akips.example.com"
4. If needed, you can add multiple SANs to the CSR.
openssl req -newkey rsa:2048 -nodes -keyout privatekey.key -out akips.csr -subj "/CN=akips.example.com" -addext "subjectAltName=DNS:akips.example.com,DNS:dev99.example.com"
5. Certificate attributes can also be added to the CSR:
openssl req -newkey rsa:2048 -nodes -keyout privatekey.key -out akips.csr -subj "/C=AU/ST=Queensland/L=Shailer Park/O=Example Pty Ltd/OU=Development/CN=akips.example.com" -addext "subjectAltName=DNS:akips.example.com,DNS:dev99.example.com"
Comments
0 comments
Article is closed for comments.