To Generate a CSR with the SubjectAltName Extension

1. Log in as or become superuser (root}.

2. Create a new certificate database (cert8.db) using the certutil -N option. If necessary, first create a directory for your database. For example:

   # mkdir certdbdir 
   # cd certdbdir 
   # certutil -N -d .

   When prompted by certutil, enter the password to encrypt your keys:

   Enter a password which will be used to encrypt your keys. 
   The password should be at least 8 characters long, 
   and should contain at least one non-alphabetic character.
   
   Enter new password: your-password 
   Re-enter password:  your-password
   

3. Generate the CSR with the SubjectAltName extension. For example:

   # certutil -R -s "cn=lb.example.com,o=example.com,c=us" 
   -o server.req -d . -a -8 amserv1.example.com,amserv2.example.com

   When prompted by certutil, enter the password (or pin) and then type keys to generate the random seed to create your key:

   Enter Password or Pin for "NSS Certificate DB": your-password
   
   A random seed must be generated that will be used in the  
   creation of your key.  One of the easiest ways to create a  
   random seed is to use the timing of keystrokes on a keyboard.   
   
   To begin, type keys on the keyboard until this progress meter  
   is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!   
   
   Continue typing until the progress meter is full:   
   
   |************************************************************|   
   
   Finished.  Press enter to continue:   
   
   Generating key.  This may take a few moments...

4. Send the CSR (server.req file in the example) to the Certificate Authority (CA). Get the server certificate and add it to the certificate database using the certutil -A option.

5. Copy the certificate database (cert8.db) to the web container directory.

   • Web Server. Copy the cert8.db and key3.db databases to the /opt/SUNWwbsrv/alias directory and rename them using the Web Server instance name. For example:

     https-webserver.example.com-webserver-cert8.db
     https-webserver.example.com-webserver-key3.db

   • Application Server. Copy the cert8.db and key3.db databases to the instance /config directory. For example:

     /var/opt/SUNWappserver/domains/domain1/config/cert8.db 
     /var/opt/SUNWappserver/domains/domain1/config/key3.db