Symantec Messaging Gateway (SMG) doesn't have a feature in their web console to generate SAN certificate CSR, so in this case, you either create SAN CSR from CLI or external host.
In this article, we are creating a SAN certificate CSR from my local Windows 10 computer and finally, importing it to SMG.
1. OpenSSL for Windows - download gnuwin32 and install.
- Create .conf file in openssl installation path where openssl.exe file is located, in my case, the file path is C:\Program Files (x86)\GnuWin32\bin
[ req ]
default_bits = 4096
prompt = no
encrypt_key = no
default_md = sha256
distinguished_name = dn
req_extensions = req_ext
[ dn ]
CN = smtp1.itadminguide.com
emailAddress = firstname.lastname@example.org
O = IT Admin Guide
OU = IT Division
L = Tamil Nadu
ST = India
C = IN
[ req_ext ]
subjectAltName = DNS: smtp2.itadminguide.com, DNS: smtp3.itadminguide.com
3. Generate CSR
C:\Program Files (x86)\GnuWin32\openss1 req -new -config smtpssl.conf -keyout smtp.key -out smtp.csr
If you would like to verify the contents of CSR for correct information, use this online CSR Decoder.
4. Generate Certificate from your preferred Certificate Authority (CA). Once SSL certificate is issued, proceed for next steps. You also need Root and Intermediate Certificates from your CA.
5. Import Root & Intermediate(Chain) Certificate
Navigate to Symantec Messaging Gateway > Administration > Settings > Certificates > Certificate Authority tab.
Import the certificates.
6. Import SSL certificate with private key - as private key and CSR are generated outside Symantec appliance, you need to combine SSL with private key and then upload as single file to appliance. File extension remains as exe
The format is
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
Navigate to Symantec Messaging Gateway > Administration > Settings > Certificates > TLS & HTTPS Certificates tab.
Import the certificate.
Note: If you click the imported certificate to view certificate info, Symantec doesn't display SAN names. You will only see Common Name. Do not get confused, it's the way Symantec displays SAN certificate 🙁
7.Once TLS certificate is installed, SMTP service will need to be configured to use the certificate.
Use https://www.checktls.com/TestReceiver to test TLS implementation on your server.