Showing results for 
Search instead for 
Did you mean: 
Level 8

Email Gateway (MEG 7.0.1) Secure Web Client CSR Generation

Anybody successfully generated a CSR through the web interface on MEG 7.0.1 and been able to submit it to a CA?  The appliance is inserting a subject alternative name (SAN) into the CSR with the same name as the common name.  When you try to submit the CSR to a CA like Thawte you get an error that the CSR is not properly formatted.  Thawte support says they do not support the SAN and common name being the same.  I contaced McAfee support about this and they suggested connecting to the appliance through SSH and using OpenSSL to generate the CSR.  In the web interface there is no option to not exclude the SAN in the CSR.  I would interested in other people's thoughts and experiences with this.

0 Kudos
1 Reply
Level 7

Re: Email Gateway (MEG 7.0.1) Secure Web Client CSR Generation

The below method works and doesn't  add any alternative information and lets you selelct the bit size.

Creating a TLS certificate using OpenSSL

Use this task to create a TLS certificate to use with email.

Before you begin

Use the OpenSSL command, which is available on Linux. The command syntax can vary. For details, see your Linux documentation.

Choose a certificate authority, and learn how they handle certificates.

Prepare the information that defines your server:




Country name

Two-letter code such CN, DE, ES, FR,JP, KR.


State or Province Name

Full name rather than an abbreviation.


Locality Name

For example, the name of the city.


Organization Name

For example, a department or function.


Common Name

Your name or your server's hostname.

Email Address

Email Address

Challenge Password


Optional Company Name

Optional Company Name


1 Generate a private key, and save the result into a file. The key is RSA2048-bit. The file is read-only.

openssl genrsa 2048 > server.key

chmod 400 server.key

2 Generate a certificate signing request (CSR) and save the result into a file.

openssl req -new -nodes -key server.key > server.csr

3 Submit the server.csr file to the Certificate Authority.

The Certificate Authority will later give you a file that is signed with the CA's own private key.

4 To create a temporary certificate for testing while you wait for the signed certificate from the Certificate Authority:

a Type: openssl x509 -req -days 30 -signkey server.key <server.csr >server.crt

This command creates a self-signed certificate that expires after 30 days.

b To keep a copy of the original server certificate, type:

cat server.crt >> temp.crt

cat server.key >> temp.crt

c Append the server's private key to the server certificate.

cat server.key >> server.crt

The certificate file now has the format:







0 Kudos