SecureNT Intranet SSL

SSL/TLS Certificates for Internal Networks.

FAQs

Those might have popped-up in your mind.

Categories

list

All FAQs

 check_circle

General FAQs

 install_desktop

Installation FAQs

 cognition

Technical FAQs
How to create CSR with SAN values using OpenSSL ?
Technical
keyboard_arrow_down

For creating CSR with SAN values (X.509 v3 Extension) it’s important to create a configuration file with the required certificate details. Execute following command in openssl.

openssl req -newkey rsa:2048 -nodes -keyout pvtkey.cer -config config.cnf -out csr.txt -utf8

It will create a Private key (pvtkey.cer) and CSR file (csr.txt).

Sample Configuration file (config.cnf)

[req]
prompt = no
distinguished_name = dn
req_extensions = ext

[dn]
CN = 192.168.2.23
O = Abc Corporation
L = Sydney
ST = New South Walse
C = AU

[ext]
subjectAltName = @alt_names

[alt_names]
IP.1 = 192.168.2.23
IP.2 = 10.12.4.122
DNS.1 = 192.168.2.23
DNS.2 = 10.12.4.22
DNS.3 = sms.abc.local
DNS.4 = localhost

It will generate CSR with CN=192.168.2.23 and 3 SAN values: 10.12.4.122, sms.abc.local and localhost.

Notice that when IP address is there in CN or SAN, we need to put its value against both IP Address and DNS. For others (URL, Servername etc) only DNS value is required.

link Permalink arrow_forward
Tagged In
Certificate Signing Request CSR DNS IP Address localhost openssl SAN URL X.509 v3 Extension

No Comments Yet.

How to create the CSR with SAN in Windows IIS ?
Technical
keyboard_arrow_down

Following steps are applicable for all versions of IIS. Windows Server should be domain joined.

  1. Open the MMC console and add the Certificate snap-in to it as Local Computer. Right Click Personal node on the left and Select All Tasks –>Advanced Operations –> Create Custom Request.

  2. Choose Proceed without enrollment policy and Click Next. Choose No Template Legacy Key for compatibility reasons. Use PKCS#10.

  3. Click Next and click Properties. Give a friendly name for the certificate and a description. Ensure that you hit Apply as soon as you are done with the tab.

  4. Click on Subject tab and add all the hostnames under “Alternative Name“. Under Subject Name, enter the Common Name (CN), Organizational Unit (OU), Organization (O), State (S) and Country (C) values. Click Apply.

  5. Under the Extensions tab, expand Extended Key Usage (application policies) and select Server Authentication and Client Authentication. Click Apply.

  6. Under the Private Key tab, set the Key size to 2048 under Key options. Tick Make Private Key exportable. Select Exchange as the Key type. Click Apply. Click OK.

  7. Select a location to save the file. Choose the file format as Base 64. Click Finish.

CSR is generated with SAN values.

link Permalink arrow_forward
Tagged In
CSR IIS Microsoft MMC SAN Subject Alternative Name Windows Server

No Comments Yet.

How to generate correct CSR when IP address is in CN or SAN ?
Technical
keyboard_arrow_down

When an internal/external IP Address is part of Common Name (CN) or Subject Alternative Name (SAN) care needs to be taken while generating the CSR.

If not done correctly then the latest browsers like Chrome and Edge give an error – “Your connection to this site is not secure.” Note that deprecated Microsoft Internet Explorer does not give any error in this case.

Chrome Error when IP Address SAN value is not correct

To avoid this problem please ensure that the IP address is mentioned in the SAN extension as DNS Name and IP Address.

A sample configuration file is shown below for Multi-domain Certificate with 1+3 SAN values, where CN has IP-Address-1 and SAN values are IP-Address-2, SAN-1, and SAN-2.

[req]
prompt = no
distinguished_name = dn
req_extensions = ext

[dn]
CN = IP-Address-1
O = Org Name
L = Location/City
ST = State/Province
C = 2 digit code

[ext]
subjectAltName = @alt_names

[alt_names]
IP.1 = IP-Address-1
IP.2 = IP-Address-2
DNS.1 = IP-Address-1
DNS.2 = IP-Address-2
DNS.3 = SAN-1
DNS.4 = SAN-2

link Permalink arrow_forward
Tagged In
Common Name CSR Generate IP Address SAN

No Comments Yet.

Is it compulsory to provide CSR to get Intranet SSL ?
Technical
keyboard_arrow_down

Not necessary.

Just fill-up the form and we will generate the CSR (called Auto-CSR). And we will send the SSL Certificate along with the private key.

link Permalink arrow_forward
Tagged In
Auto-CSR CSR Intranet SSL Private Key

No Comments Yet.

While requesting Intranet SSL, should I generate CSR or just give certificate details ?
Technical
keyboard_arrow_down

Good question.

It is always recommended to generate CSR on your web server and share with us. This is because the private key generated during the CSR generation remains on your server, within your premises.

On the other hand, if you give certificate details to us, we generate the CSR. It is called Auto-CSR. During this process, private key is generated on our machine. When we ship the Intranet SSL to you, we send the SSL certificate along with the private key. This method is slightly risky because the private key can be intercepted by someone when it is sent through email.

But generation of CSR for Intranet SSL poses some technical challenges. Reason is that modern browsers expect the CSR to have require SAN values correctly specified.

For example, if the Common Name is “abc.local” then the CN=abc.local and SAN value should be DNS=abc.local. But it is not easy to generate CSR with SAN values on Windows or Linux.

Another issue comes when the certificate is to be issued to an IP address. In this case SAN should have two values. They are DNS=[IP-address] and IP=[IP-Address].

If any of these SAN values are not specified while generating the CSR then browser gives 'Certificate not Trusted' error.

Of course, we have shared the steps to generate CSR with SAN values. Link is given below.

  1. How to create the CSR with SAN in Windows IIS
  2. How to create the CSR with SAN Values using OpenSSL

link Permalink arrow_forward
Tagged In
Auto-CSR CSR DNS Generate Intranet SSL IP IP Address Linux SAN Windows

No Comments Yet.

Tags

10 year
2048
Android
Antivirus
Auto-CSR
automatically
avast
Azure
Bank
Bank Transfer
base domain
Binary
Binding
Browser
Buy
CA
CA certificate
CAB Forum
CABrowser
CER
Certificate
Certificate Signing Request
Certifying Authority
client PC
Common Name
Credit Card
CRT
CSR close
Currency
Debit Card
Deployment
DER
DigiCert
Discount
DNS
Domain
Domain Validated
DV
Educational
endpoint
Error
Generate
GlobalSign
GPO
Group Policy
Hash Algorithm
hosts
HTTPS
IETF RFC 1918
IIS
INR
Install
Installation
internal domain
Internal Name
Intranet
Intranet SSL
IP
IP Address
JBoss
Key Size
Keystore
Keytool
License
Linux
Local Host
local network
localhost
Microsoft
Middleware
MMC
Multi-Domain
multiple
Name
Non-Profit
non-Public
non-Public CA
openssl
Organization Validated
OV
Payment
PayPal
PEM
PFX
PKCS12
Place Order
Price
Private
Private CA
Private Key
private site
Public CA
Public DNS
registered
Reseller
Root Certificate
RSA Encryption
Samsung
SAN
Sectigo
SecureNT
security
Self-Signed
Server
server name
Sha2
Sha256
Single Domain
SSL
SSL Certificate
star
sub-domain
Subject Alternative Name
Survey
Swift
Testimonial
TLD
TLS
Tomcat
Top-Level Domain
Triple DES
Trusted
Ubuntu
Unlimited
URL
USD
Validation
Wildcard
Windows
Windows Server
Wire-Transfer
X.509 v3 Extension
XAMPP

SecureNT Intranet SSL

SSL/TLS Certificates for Internal Networks.

Copyright © 2024 Secure Network Traffic. All rights reserved. SecureNT is a registered trademark of Secure Network Traffic.

SecureNT
What is it? Why use it? When do I need it? Self-Signed Certificates
attach_money Price Calculator shopping_bag Buy Now experiment Try for Free
install_desktop Installation help FAQs description Support Request
info Our Story call Contact Us storefront Resellers
edit_note Blog