000027893 - KB-1669 How to secure Multiple Domain Names with a Single SSL Certificate

Document created by RSA Customer Support Employee on Jun 15, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000027893
Applies Tokeytool san ssl certificate
All Versions
RSA Identity Management and Governance
IssueKB-1669 How to secure Multiple Domain Names with a Single SSL Certificate
This Knowledgebase Solution will describe how to create a Single SSL Certificate certificate allowing you to assign multiple host names ? known as Subject Alternative Names or SANs?in one certificate. Note JDK7 keytool is required to handle -ext extension syntax. More info can be found in the Oracle documentation: http://docs.oracle.com/javase/7/docs/technotes/tools/solaris/keytool.html

This was tested on one of the virtual machines running acm 6.5.1, but same process should be running on any ACM version. Install Java 7 on your appliance: 

1. login as root user and download Java JDK 7 or greater from Oracle: $  wget --no-check-certificate --no-cookies --header "Cookie: gpw_e24=http%3A%2F%2Fwww.oracle.com" "http://download.oracle.com/otn-pub/java/jdk/7u40-b43/jdk-7u40-linux-x64.rpm"

2. rename downloaded package to .rpm : $ mv jdk-7u40-linux-x64.rpm\?AuthParam\=1379599920_4b81669a04045670cd4003e30ec824f1 jdk-7u40-linux-x64.rpm

3. install the .rpm package: $ rpm -Uvh jdk-7u40-linux-x64.rpm

4. check where rpm got installed, in this example it got installed in /usr/java/jdk1.7.0_40/bin/


Generate a Server Certificate:

1. Login as oracle user and go to the keystore directory: $ cd /home/oracle/jboss/server/default/conf/keystore

2. Backup aveksa.keystore:  $ cp aveksa.keystore aveksa.keystore.backup

3. Remove the existing server certificate (if it exists): $ keytool -delete -alias mycorpServer -storepass Av3k5a15num83r0n3 -keystore aveksa.keystore

4. Using Java7 keytool, generate new server certificate: $ /usr/java/jdk1.7.0_40/bin/keytool -genkeypair -keysize 2048 -validity 18000 -alias mycorpServer -dname "CN=acm-server.mycorp.com,OU=Aveksa,O=MyCorp,L=Waltham,S=Massachusetts,C=US" -keyalg RSA -keypass Av3k5a15num83r0n3 -storepass Av3k5a15num83r0n3 -keystore aveksa.keystore -ext "SAN=DNS:vm-sb-mzorman-01.aveksa.local,IP:" 

5. Restart Aveksa Platform


Generate a Certificate Signing Request (CSR):

1. Login as oracle user and go to the keystore directory: $ cd /home/oracle/jboss/server/default/conf/keystore

2. Using Java7 keytool, generate Certificate Signing Request: $ /usr/java/jdk1.7.0_40/bin/keytool -certreq -alias mycorpServer -storepass Av3k5a15num83r0n3 -file acmserver.csr -keystore aveksa.keystore -ext "SAN=DNS:vm-sb-mzorman-01.aveksa.local,IP:" 

3. At this point Java7 is not needed anymore and can be uninstalled from the system:  $ rpm -e jdk-1.7.0_40-fcs

4. Restart Aveksa Platform. To import a Trusted Certificate and Signed Server's Certificate please use Aveksa Installation Guide - Chapter 6: Aveksa Platform Security and Authentication Management.  Import a Trusted Certificate Import a Signed Server's Certificate into the Aveksa Platform Keystore

Legacy Article IDa67116