Anybody successfully generated a CSR through the web interface on MEG 7.0.1 and been able to submit it to a CA? The appliance is inserting a subject alternative name (SAN) into the CSR with the same name as the common name. When you try to submit the CSR to a CA like Thawte you get an error that the CSR is not properly formatted. Thawte support says they do not support the SAN and common name being the same. I contaced McAfee support about this and they suggested connecting to the appliance through SSH and using OpenSSL to generate the CSR. In the web interface there is no option to not exclude the SAN in the CSR. I would interested in other people's thoughts and experiences with this.
The below method works and doesn't add any alternative information and lets you selelct the bit size.
Creating a TLS certificate using OpenSSL
Use this task to create a TLS certificate to use with email.
Before you begin
Use the OpenSSL command, which is available on Linux. The command syntax can vary. For details, see your Linux documentation.
Choose a certificate authority, and learn how they handle certificates.
Prepare the information that defines your server:
Two-letter code such CN, DE, ES, FR,JP, KR.
State or Province Name
Full name rather than an abbreviation.
For example, the name of the city.
For example, a department or function.
Your name or your server's hostname.
Optional Company Name
Optional Company Name
1 Generate a private key, and save the result into a file. The key is RSA2048-bit. The file is read-only.
openssl genrsa 2048 > server.key
chmod 400 server.key
2 Generate a certificate signing request (CSR) and save the result into a file.
openssl req -new -nodes -key server.key > server.csr
3 Submit the server.csr file to the Certificate Authority.
The Certificate Authority will later give you a file that is signed with the CA's own private key.
4 To create a temporary certificate for testing while you wait for the signed certificate from the Certificate Authority:
a Type: openssl x509 -req -days 30 -signkey server.key <server.csr >server.crt
This command creates a self-signed certificate that expires after 30 days.
b To keep a copy of the original server certificate, type:
cat server.crt >> temp.crt
cat server.key >> temp.crt
c Append the server's private key to the server certificate.
cat server.key >> server.crt
The certificate file now has the format:
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY----