NetWorker:使用「主體別名」SAN 的 SSL 產生 CSR
Summary: 本文提供如何為 SSL 產生憑證簽署要求 (CSR) 的一般指示,其中包括主體替代名稱 (SAN)。此知識庫旨在提供其他支援,但系統管理員必須完成此任務。
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Instructions
注意:此程序會使用 OpenSSL 公用程式。依預設,Windows 主機不包含 OpenSSL 程式。如果無法在 Windows NetWorker 伺服器上安裝 OpenSSL,則可在任何 Linux 主機上執行 CSR。在 Linux 上,OpenSSL 預設為可用。保留產生的
.csr 和 .key 在 NetWorker 伺服器上進行 SSL 整合期間進行驗證的檔案。
使用主要通用名稱 (CN) 和主體別名 (指出所有網域名稱和 IP 位址) 產生 CSR 的要求。
- 在任何 Linux 主機上建立檔案。
vi server_cert.cnf
- 將以下內容貼至
server_cert.cnf檔案中所定義。
[req] distinguished_name = req_distinguished_name req_extensions = req_ext prompt = no [req_distinguished_name] C = ST = L = O = OU = CN = [req_ext] subjectAltName = @alt_names [alt_names] DNS.1 = DNS.2 = DNS.3 = IP.1 = IP.2 = email.1 =
- 建立上述範本後,請輸入環境特定資訊。如果需要生成 CSR 的説明,請與您的域管理員聯繫。
Country (C): The two-letter ISO code(* see link below) for the country where the organization is located.
State/County/Region (ST): The state/region where the organization is located.
Locality (L): The city where the organization is located.
Organization Name (O): Usually the legal name of a company or entity and should include any suffixes such as Ltd., Inc., or Corp.
Organizational Unit (OU): Internal organization department/division name.
Common Name (CN): The fully or qualified domain name (FQDN) of the server based on the hostname available on the nsrla of the host.
Clarified SAN Guidance : It is important to include the FQDN as DNS.1. Add the short hostname and any other aliases or IP addresses as needed to cover all valid ways the host may be accessed.
DNS.1: Mandatory. Always set to the full FQDN of the host (e.g., server.company.com).
DNS.2: Recommended. Short hostname (e.g., server).
DNS.3: Optional. Additional FQDN, short name, or IP address — use this for aliases, VIPs, or any other name that might resolve to the same server.
email.x: Optional. Include if required by your CA or if you want the cert to bind to an email identity.
IP.x: Optional. Use IP.x only when you want clients to connect directly to the IP and still trust the cert. If you don’t add IP.x and someone connects to https://192.168.1.10 → the SSL check will fail because the cer
* 組織所在國家或地區的雙字母 ISO 代碼
。
。
視需要新增或移除 DNS.x 和 IP.x 項目。
範例:
[req] distinguished_name = req_distinguished_name req_extensions = req_ext prompt = no [req_distinguished_name] C = US ST = Texas L = Round Rock O = Dell Technologies Inc. OU = Data Protection Team CN = server.fqdn.example.com # Common Name - must match primary FQDN # ================================ # Extensions for SAN # ================================ [ req_ext ] subjectAltName = @alt_names [ alt_names ] # DNS.1: Mandatory — fully qualified domain name (FQDN) DNS.1 = server.fqdn.example.com # DNS.2: Recommended — short hostname (without domain) DNS.2 = servername # DNS.3: Optional — additional FQDN, short name, or IP address DNS.3 = server.alias.example.com # Optional: include email if needed #IP.1 = 192.1xx.1.10 # Literal IP address #IP.2 = 10.1.1.5 # Another IP if needed #email.1 = admin@example.com
- 執行下列命令,根據檔案中新增的資訊產生 CSR 和私密金鑰
server_cert.cnf。
#openssl req -new -newkey rsa:4096 -nodes -keyout new_server.key -out new_server.csr -config server_cert.cnf
- CSR 會提交至認證機構進行簽署。
Additional Information
注意:使用 NetWorker 19.12.0.0 的 Linux 主機支援 OpenSSL 3.0.14。Windows 仍需要 1.1.1n。
Affected Products
NetWorker, NetWorker Management ConsoleArticle Properties
Article Number: 000251184
Article Type: How To
Last Modified: 16 Jul 2025
Version: 4
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.