This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How do I generate a CSR for a wildcard SSL cert?

Hey folks,

I just bought a wildcard SSL certificate that I need to generate a CSR for.  I'm aware of the KB docs located here https://community.sophos.com/kb/en-us/118084 and here https://community.sophos.com/kb/en-us/115976 however, neither mention any specifics on generating a CSR for a wildcard SSL certificate.

Is there any additional or specific steps to take?

A follow-up question if I may:  will installing the new certificate break existing site-to-site VPN tunnels (L2TP/IPsec & SSL)?



This thread was automatically locked due to age.
Parents
  • Generating a CSR is the same for wildcard and regular certificates.   When supplying the host name, just use "*.example.com" instead of "server1.example.com"

    Instead of the Sophos method, I create my CSRs and accept my certificates on a Windows system, using an INF file and the CERTREQ command.   After it is accepted into the Windows PC, I export it to a file with private key and certificate chain, then load that file into UTM.   I learned the technique years ago when I needed to create a certificate for a domain controller, and the process is easy to replicate. 

    The INF file looks like this.  You only change the subject and optionally the key length.

    [Version]
    Signature="$Windows NT$

    [NewRequest]
    Subject = "CN=*.example.com, OU=IT, O=Example Business Inc, L=New York, S=New York, C=US"
    KeySpec = 1
    KeyLength = 2048
    ; Can be 1024, 2048, 4096, 8192, or 16384.
    ; Larger key sizes are more secure, but have
    ; a greater impact on performance.
    Exportable = TRUE
    MachineKeySet = TRUE
    SMIME = False
    PrivateKeyArchive = FALSE
    UserProtected = FALSE
    UseExistingKeySet = FALSE
    ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
    ProviderType = 12
    RequestType = PKCS10
    KeyUsage = 0xa0

    [EnhancedKeyUsageExtension]
    OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication

     

    The command to generate the CSR from the INF file looks like this

    CertReq -New wildcard.inf wildcard.certreq

    If the CA sends you a file named "wildcard.p12", you load it into the Windows certificate store using

    Certreq -Accept wildcard.p12

    Exporting the certificate chain with public key can be from the MMC using the Certificates snap-in.

    There is another line of syntax in the INF file for certificates with more than one SAN.  I can hunt it up if anyone asks.

    For other command line options, use

    certreq -?

Reply
  • Generating a CSR is the same for wildcard and regular certificates.   When supplying the host name, just use "*.example.com" instead of "server1.example.com"

    Instead of the Sophos method, I create my CSRs and accept my certificates on a Windows system, using an INF file and the CERTREQ command.   After it is accepted into the Windows PC, I export it to a file with private key and certificate chain, then load that file into UTM.   I learned the technique years ago when I needed to create a certificate for a domain controller, and the process is easy to replicate. 

    The INF file looks like this.  You only change the subject and optionally the key length.

    [Version]
    Signature="$Windows NT$

    [NewRequest]
    Subject = "CN=*.example.com, OU=IT, O=Example Business Inc, L=New York, S=New York, C=US"
    KeySpec = 1
    KeyLength = 2048
    ; Can be 1024, 2048, 4096, 8192, or 16384.
    ; Larger key sizes are more secure, but have
    ; a greater impact on performance.
    Exportable = TRUE
    MachineKeySet = TRUE
    SMIME = False
    PrivateKeyArchive = FALSE
    UserProtected = FALSE
    UseExistingKeySet = FALSE
    ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
    ProviderType = 12
    RequestType = PKCS10
    KeyUsage = 0xa0

    [EnhancedKeyUsageExtension]
    OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication

     

    The command to generate the CSR from the INF file looks like this

    CertReq -New wildcard.inf wildcard.certreq

    If the CA sends you a file named "wildcard.p12", you load it into the Windows certificate store using

    Certreq -Accept wildcard.p12

    Exporting the certificate chain with public key can be from the MMC using the Certificates snap-in.

    There is another line of syntax in the INF file for certificates with more than one SAN.  I can hunt it up if anyone asks.

    For other command line options, use

    certreq -?

Children
No Data