Certificate Signing requests

Question

Hi all 
 I will be enabling opportunistic TLS this week on my Clustered Email appliance, version 4.4. 
 I was going to use the existing self-signed certificate(s) on the 2 nodes as I don't currently need any mandatory TLS connections, but I am advised (By reading around) that it would be more prudent to get an externally signed cert at this stage. 
 I've got 2 nodes in this cluster with different names, so I have 2 hostnames to add to my certificate. 
 When I go through the Certificate Signing request tool within Configuration\System\Certificates , I can only seem to add in one hostname per certificate. 
 I've tried using a semi-colon to separate the 2 hostnames, tried a comma....none of them work. What am I misunderstanding here? 
 Can I only add in one hostname OR use a wildcard? 
 Any guidance mooch appreciated. 
 Tom

Red_Warrior · Accepted Answer

Hi Tom, 
 You can not use a wild card cert on the appliance.. as well you will need to make each request individually. 
 under configuration / system / certificates 
 click add, initiate CSR 
 name it appliance1 
 fill out your information 
 add the fqdn of the appliance 
 next 
 it will give you a CSR response.. 
 copy / paste it into notepad++ (make sure there is no spaces or extra lines) 
 repeat the process again for the other appliance. 
 
 then take each request as a separate request to your authority .. ie godaddy. 
 purchase the cheapest signed certificate (you don't need DV/EV or anything like that. you simply need it signed so that when tls does validation it passes) so dont spend a ton of money on it. 
 
 the provider will give you a response (request it in apache/pem format) 
 
 once you have that go back into the appliance. select upload certificate. 
 paste in the key and authorities .. (no extra spaces or lines) you also don't need to include the private key as it will be stored on the appliance. 
 
 once that's done you will have 1 CSR per appliance.. 
 then just assign each appliance to use the correct cert .. (you may have to log into each one and check off the radio buttons) 
 
 this is the preferred method as it keeps the private key on the appliance at all times and does not require to manually chain each certificate