Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 3 subscribers
  • Views 6417 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Certificate Signing requests

millardus Mills

Hi all

I will be enabling opportunistic TLS this week on my Clustered Email appliance, version 4.4.

I was going to use the existing self-signed certificate(s) on the 2 nodes as I don't currently need any mandatory TLS connections, but I am advised (By reading around) that it would be more prudent to get an externally signed cert at this stage.

I've got 2 nodes in this cluster with different names, so I have 2 hostnames to add to my certificate.

When I go through the Certificate Signing request tool within Configuration\System\Certificates, I can only seem to add in one hostname per certificate.

I've tried using a semi-colon to separate the 2 hostnames, tried a comma....none of them work.  What am I misunderstanding here?

Can I only add in one hostname OR use a wildcard?

Any guidance mooch appreciated.

Tom



This thread was automatically locked due to age.
  • +1

    Hi Tom,

    You can not use a wild card cert on the appliance.. as well you will need to make each request individually.

    under configuration / system / certificates

    click add, initiate CSR

    name it appliance1

    fill out your information

    add the fqdn of the appliance

    next

    it will give you a CSR response..

    copy / paste it into notepad++ (make sure there is no spaces or extra lines)

    repeat the process again for the other appliance.

     

    then take each request as a separate request to your authority .. ie godaddy. 

    purchase the cheapest signed certificate (you don't need DV/EV or anything like that. you simply need it signed so that when tls does validation it passes) so dont spend a ton of money on it.

     

    the provider will give you a response (request it in apache/pem format) 

     

    once you have that go back into the appliance. select upload certificate.

    paste in the key and authorities .. (no extra spaces or lines)  you also don't need to include the private key as it will be stored on the appliance. 

     

    once that's done you will have 1 CSR per appliance.. 

    then just assign each appliance to use the correct cert .. (you may have to log into each one and check off the radio buttons) 

     

    this is the preferred method as it keeps the private key on the appliance at all times and does not require to manually chain each certificate 

  • 0 in reply to Red_Warrior

    Thanks Red Warrior.

     

    I didn't realise wildcards weren't allowed, not that I wanted to use one, but I'd heard elsewhere they were an option. Thanks for clarifying.

    As and when I need a Publically validated cert I'll follow your advice and request 2 affordable ones, thanks again.

    Tom

  • 0 in reply to millardus Mills

    you can use a wild card cert, but you will have to generate your own csr ...  submit it to your authority .. then assemble the certificate yourself.

    in general this can be a real pita, but if your interested check out this thread ..

     

    https://community.sophos.com/products/email-appliance/f/email-appliance-hardware-or-virtual/11078/certificate-problem/357571#357571

  • 0 in reply to Red_Warrior

    Cheers red warrior, nah, I'll stick with the single hostnames in that case.

    Thanks again.

    T

Unfiltered HTML