NetWorker:具有“主题备用名称”SAN 的 SSL 的 CSR 生成
Summary: 本文提供有关如何为 SSL 生成证书签名请求 (CSR) 的一般说明,其中包括使用者备用名称 (SAN)。此知识库旨在提供额外的支持,但系统管理员必须完成此任务。
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Instructions
提醒:此过程使用 OpenSSL 实用程序。默认情况下,Windows 主机不包含 OpenSSL 程序。如果无法在 Windows NetWorker 服务器上安装 OpenSSL,则可以在任何 Linux 主机上执行 CSR。在 Linux 上,OpenSSL 默认可用。保留生成的
.csr 和 .key 用于在 NetWorker 服务器上进行 SSL 集成期间验证的文件。
使用主要通用名称 (CN) 和主题备用名称(指示所有域名和 IP 地址)生成 CSR 的请求。
- 在任何 Linux 主机上创建文件。
vi server_cert.cnf
- 将以下内容粘贴到
server_cert.cnf文件中定义。
[req] distinguished_name = req_distinguished_name req_extensions = req_ext prompt = no [req_distinguished_name] C = ST = L = O = OU = CN = [req_ext] subjectAltName = @alt_names [alt_names] DNS.1 = DNS.2 = DNS.3 = IP.1 = IP.2 = email.1 =
- 创建上述模板后,输入特定于环境的信息。如果需要帮助生成 CSR,请与您的域管理员联系。
Country (C): The two-letter ISO code(* see link below) for the country where the organization is located.
State/County/Region (ST): The state/region where the organization is located.
Locality (L): The city where the organization is located.
Organization Name (O): Usually the legal name of a company or entity and should include any suffixes such as Ltd., Inc., or Corp.
Organizational Unit (OU): Internal organization department/division name.
Common Name (CN): The fully or qualified domain name (FQDN) of the server based on the hostname available on the nsrla of the host.
Clarified SAN Guidance : It is important to include the FQDN as DNS.1. Add the short hostname and any other aliases or IP addresses as needed to cover all valid ways the host may be accessed.
DNS.1: Mandatory. Always set to the full FQDN of the host (e.g., server.company.com).
DNS.2: Recommended. Short hostname (e.g., server).
DNS.3: Optional. Additional FQDN, short name, or IP address — use this for aliases, VIPs, or any other name that might resolve to the same server.
email.x: Optional. Include if required by your CA or if you want the cert to bind to an email identity.
IP.x: Optional. Use IP.x only when you want clients to connect directly to the IP and still trust the cert. If you don’t add IP.x and someone connects to https://192.168.1.10 → the SSL check will fail because the cer
* 组织所在国家或地区的双字母 ISO 代码
。
。
根据需要添加或删除 DNS.x 和 IP.x 条目。
示例:
[req] distinguished_name = req_distinguished_name req_extensions = req_ext prompt = no [req_distinguished_name] C = US ST = Texas L = Round Rock O = Dell Technologies Inc. OU = Data Protection Team CN = server.fqdn.example.com # Common Name - must match primary FQDN # ================================ # Extensions for SAN # ================================ [ req_ext ] subjectAltName = @alt_names [ alt_names ] # DNS.1: Mandatory — fully qualified domain name (FQDN) DNS.1 = server.fqdn.example.com # DNS.2: Recommended — short hostname (without domain) DNS.2 = servername # DNS.3: Optional — additional FQDN, short name, or IP address DNS.3 = server.alias.example.com # Optional: include email if needed #IP.1 = 192.1xx.1.10 # Literal IP address #IP.2 = 10.1.1.5 # Another IP if needed #email.1 = admin@example.com
- 运行以下命令,根据文件上添加的信息生成 CSR 和私钥
server_cert.cnf。
#openssl req -new -newkey rsa:4096 -nodes -keyout new_server.key -out new_server.csr -config server_cert.cnf
- CSR 将提交给证书颁发机构进行签名。
Additional Information
提醒:使用 NetWorker 19.12.0.0 的 Linux 主机支持 OpenSSL 3.0.14。Windows 仍然需要 1.1.1n。
Affected Products
NetWorker, NetWorker Management ConsoleArticle Properties
Article Number: 000251184
Article Type: How To
Last Modified: 16 Jul 2025
Version: 4
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.