topic Adding a SAN to a CSR to be used for IPSec\SSL VPN in Firewall and Security Management

Adding a SAN to a CSR to be used for IPSec\SSL VPN

Realeboga_Mashi — Wed, 25 May 2022 08:55:39 GMT

Hi,

I have a 3rd party signed certificate that I use for VPN connections - the issue I have is that through the CSR generating process, I am not presented with an option to add a subject alternative name (SAN).

The reason I want to have a SAN in the certificate is due to other people who don't access the VPN by DNS name but by IP Address, they get an alert that the connection is not secure.

I use the CLI method to generate the CSR (sk69660).

When I use the GUI method to create the CSR, we get an error generating the cert - the GUI method does have an option to add the SAN (this is where I found the GUI method - https://www.entrust.com/knowledgebase/ssl/how-to-generate-a-csr-using-checkpoint-appliance).

Please help?

Re: Adding a SAN to a CSR to be used for IPSec\SSL VPN

Sorin_Gogean — Wed, 25 May 2022 10:24:30 GMT

hey,

There is no need to add the SAN to the CSR, some CA's accept to add additional SANs at the time of generation.

See if your Certificate provider can support that.

If you still want to add SANs to your CSR, you need to add smth like below to your openssl.cnf file you address .

MAKE SURE YOU HAVE the req_extensions to get the SAN's in the CSR!!!!!!

# req_extensions = v3_req # The extensions to add to a certificate request

req_extensions = req_ext # The extensions to add to a certificate request

[ req_ext ]

subjectAltName = @ckp_names

[ CKP_names ]

DNS.1 = u-fw01.a#$#$%#$%lv.int

DNS.2 = u-fw02.a#$#$%#$%lv.int

DNS.3 = u-fw4.a#$#$%#$%lv.int

Thank you and have a nice week,