How to create a Subject Alternate Certificate for Symantec Messaging Gateway

124

Symantec Messaging Gateway (SMG) doesn’t have a feature in their web console to generate SAN certificate CSR, so in this case, you either create SAN CSR from CLI or external host.

In this article, we are creating a SAN certificate CSR from my local Windows 10 computer and finally, importing it to SMG.

1. OpenSSL for Windows – download gnuwin32 and install.

  1. Create .conf file in openssl installation path where openssl.exe file is located, in my case, the file path is C:\Program Files (x86)\GnuWin32\bin

[ req ]
default_bits = 4096
prompt = no
encrypt_key = no
default_md = sha256
distinguished_name = dn
req_extensions = req_ext

[ dn ]
CN = smtp1.itadminguide.com
emailAddress = support@itadminguide.com
O = IT Admin Guide
OU = IT Division
L = Tamil Nadu
ST = India
C = IN

[ req_ext ]
subjectAltName = DNS: smtp2.itadminguide.com, DNS: smtp3.itadminguide.com

3. Generate CSR 

C:\Program Files (x86)\GnuWin32\openss1 req -new -config smtpssl.conf -keyout smtp.key -out smtp.csr

If you would like to verify the contents of CSR for correct information, use this online CSR Decoder.

4. Generate Certificate from your preferred Certificate Authority (CA). Once SSL certificate is issued, proceed for next steps. You also need Root and Intermediate Certificates from your CA.

5. Import Root & Intermediate(Chain) Certificate

Navigate to Symantec Messaging Gateway > Administration > Settings > Certificates > Certificate Authority tab.

Import the certificates.

6. Import SSL certificate with private key – as private key and CSR are generated outside Symantec appliance, you need to combine SSL with private key and then upload as single file to appliance. File extension remains as exe

The format is

—–BEGIN CERTIFICATE—–

[…]

—–END CERTIFICATE—–

—–BEGIN RSA PRIVATE KEY—–

[…]

—–END RSA PRIVATE KEY—–

Navigate to Symantec Messaging Gateway > Administration > Settings > Certificates > TLS & HTTPS Certificates tab.

Import the certificate.

Note: If you click the imported certificate to view certificate info, Symantec doesn’t display SAN names. You will only see Common Name. Do not get confused, it’s the way Symantec displays SAN certificate 🙁

7.Once TLS certificate is installed, SMTP service will need to be configured to use the certificate.

Refer Symantec article for enbaling TLS for Inbound and/or Outbound messages.

Use https://www.checktls.com/TestReceiver to test TLS implementation on your server.



Related Articles & Comments

Menu Title
%d bloggers like this: