File Director SAN certificates

The Subject Alternative Name (SAN) field allows you specify additional host names that will be protected by same SSL certificate. For example, an administrator can use CNAME alias DNS records with an SSL certificate that has a different Common Name set within the subject of the certificate.

This section describes how to configure a File Director certificate that contains SAN extensions. In this example, a SAN certificate is generated using a private CA, exported as a PFX file and then uploaded to File Director.

Configuration comprises three parts:

Prerequisites:

File Director appliance with a base DNS, AD, admin user and license configuration applied.

DNS and SAN certificates

The A record is typically created when installing the File Director appliance and maps the IP address to the specified host name. A CNAME records allows you to map one domain name (an alias) to another (the A record for example).

Example of a SAN certificate using an A and CNAME DNS record

In the illustration shown, the CNAME record (on the right) references the A name record.

  1. Create DNS entries for your appliance.

  2. Confirm the DNS records resolve correctly using a command such as ping, for example.

Generating your SAN certificate

  1. Open Microsoft Management Console and click File > Add/Remove Snap-in...
    The Add or Remove Snap-ins dialog displays.
  2. From the Available snap-ins panel, select Certificates. Click the Add> button.
    • In the Certificates snap in dialog, select the Computer account radio button then click Next.
    • From the Select Computer dialog select the Local computer radio button
    • Click Finish and OK.
  3. Expand the Personal folder and select Certificates.

    Select Certificates in the center panel, right-click and select All Tasks > Request New Certificate.
    The Certificate Enrollment wizard displays.

  4. Click Next and Next again.
  5. Select Web Server and click the drop-down arrow to expand the Details section.

    Click the Properties button to open the Certificate Properties dialog.

  6. In the Subject name panel, complete the following fields :
    • Common Name
    • Organizational Unit
    • Organization
    • Locality
    • State
    • Country
    • Email

    Note, this is the same information required if generating a CSR request for the File Directorappliance

  7. In the Alternative name panel, select DNS from the Type drop down.
  8. In the Value field, add the Alternative DNS names to be included in the certificate request.

    .

  9. Select the General tab and enter a Friendly Name and optional Description.

  10. Select the Private Key tab and expand the Key Options.
  11. Select Make private key exportable.

  12. Click Apply and OK.
  13. In the Certificate Enrollment dialog, click Enroll.

  14. When the certificate has successfully enrolled, click Finish.

    You should see the certificate in the Personal store.

  15. Right-click on the new certificate and select Open.
  16. Click on the Details tab and select Subject.

    You will see the subject details for your certificate.

  17. Scroll to the Subject Alternative Name section.

    The alternative DNS names you configured should be visible.

  18. Click Copy to File and then OK.
  19. Click Next.
  20. Enable the Yes, export the private key option and click Next.

  21. In the export file format section, select Include all certificates in the certification path possible and click Next.

  22. Type and confirm a password.
  23. Ivanti recommend you use the most secure method of encryption to protect your files.
    Click the drop-down arrow in the Encryption field and select the method required.

  24. Click Next.
  25. Save the certificate to a suitable location.
  26. Complete the wizard by clicking Finish.

SAN certificates in the File Director appliance

  1. Open a web browser and connect to your appliance Admin console.
  2. Select Configuration > SSL Certificate.

    If required, click to expand the Upload an existing certificate section:

    Upload Certificate

  3. Click Browse and select the required certificate.
  4. If the certificate was created with an encryption password, type it into the field.
  5. Click Upload Certificate and your certificate should be installed and enrolled for the host name you specified in the Certificate Subject.

You will now be able to use the A and CNAME record to connect to the appliance using SSL.

Related topics

Configure certificates

Upload an existing certificate

E.g. Public CA

E.g. Private certificate