1 Reply Latest reply on Aug 28, 2012 1:25 PM by frankdjr

    Email Gateway (MEG 7.0.1) Secure Web Client CSR Generation

      Anybody successfully generated a CSR through the web interface on MEG 7.0.1 and been able to submit it to a CA?  The appliance is inserting a subject alternative name (SAN) into the CSR with the same name as the common name.  When you try to submit the CSR to a CA like Thawte you get an error that the CSR is not properly formatted.  Thawte support says they do not support the SAN and common name being the same.  I contaced McAfee support about this and they suggested connecting to the appliance through SSH and using OpenSSL to generate the CSR.  In the web interface there is no option to not exclude the SAN in the CSR.  I would interested in other people's thoughts and experiences with this.

        • 1. Re: Email Gateway (MEG 7.0.1) Secure Web Client CSR Generation

          The below method works and doesn't  add any alternative information and lets you selelct the bit size.


          Creating a TLS certificate using OpenSSL

          Use this task to create a TLS certificate to use with email.


          Before you begin

          Use the OpenSSL command, which is available on Linux. The command syntax can vary. For details, see your Linux documentation.


          Choose a certificate authority, and learn how they handle certificates.

          Prepare the information that defines your server:





          Country name

          Two-letter code such CN, DE, ES, FR,JP, KR.


          State or Province Name

          Full name rather than an abbreviation.


          Locality Name

          For example, the name of the city.


          Organization Name

          For example, a department or function.


          Common Name

          Your name or your server's hostname.


          Email Address

          Email Address


          Challenge Password



          Optional Company Name

          Optional Company Name




          1 Generate a private key, and save the result into a file. The key is RSA2048-bit. The file is read-only.

          openssl genrsa 2048 > server.key

          chmod 400 server.key


          2 Generate a certificate signing request (CSR) and save the result into a file.

          openssl req -new -nodes -key server.key > server.csr


          3 Submit the server.csr file to the Certificate Authority.

          The Certificate Authority will later give you a file that is signed with the CA's own private key.


          4 To create a temporary certificate for testing while you wait for the signed certificate from the Certificate Authority:

          a Type: openssl x509 -req -days 30 -signkey server.key <server.csr >server.crt

          This command creates a self-signed certificate that expires after 30 days.


          b To keep a copy of the original server certificate, type:

          cat server.crt >> temp.crt

          cat server.key >> temp.crt


          c Append the server's private key to the server certificate.

          cat server.key >> server.crt

          The certificate file now has the format:

          -----BEGIN CERTIFICATE-----


          -----END CERTIFICATE----

          -----BEGIN RSA PRIVATE KEY-----


          -----END RSA PRIVATE KEY----