IQ Bot 11.x: Create a self-signed certificate with Subject Alternative Name

Create a self-signed certificate with Subject Alternative Name (SAN) when you want to use an SSL certificate for multiple domains.

  1. Create a file with the name domain.cnf and add the following configuration as per your requirement:

    [req]

    default_bits = 2048

    prompt = no

    default_md = sha256

    x509_extensions = v3_req

    distinguished_name = dn

    [dn]

    C = ES

    ST = MyState

    L = MyCity

    O = MyOrg

    emailAddress = email@mydomain.com (Any email address)

    CN = sss-laptop136.aaspl-brd.com (CR FQDN Url Name)

    [v3_req]

    subjectAltName = @alt_names

    [alt_names]

    DNS.1 = sss-laptop136.aaspl-brd.com (CR FQDN Url Name)

    DNS.2 = sss-laptop151.aaspl-brd.com (IQBOT URL FQDN Name)

  2. Download the Openssl utility.
  3. Create the certificate either on Microsoft Windows or on Linux:
    • Run the following command to create the certificate on Microsoft Windows:
      openssl.exe req -new -x509 -newkey rsa:2048 -sha256 -nodes -keyout
      "D:\ssc\ssc\key.key" -days 3560 -out "D:\ssc\ssc\cert.crt" -config
      "D:\ssc\ssc\domain.cnf"
    • Run the following command to create the certificate on Linux:

      openssl req -new -x509 -newkey rsa:2048 -sha256 -nodes -keyout /tmp/cert/key.key -days 3560
      -out /tmp/cert/cert.crt -config /tmp/cert/domain.cnf
  4. Create the .pfx file from cert and key file:
    • Run the following command to create the .pfx file from the cert and key file on Microsoft Windows:

      openssl.exe pkcs12 -export -out "D:\ssc\ssc\sss-aspl.pfx" -inkey "D:\ssc\ssc\key.key"
      -in "D:\ssc\ssc\cert.crt"
    • Run the following command to create the .pfx file from the cert and key file on Linux:

      openssl.exe pkcs12 -export -out /tmp/cert/sss-aspl.pfx -inkey /tmp/cert/key.key -in
      /tmp/cert/cert.crt"
  5. Import the .pfx file in Microsoft IIS.

    Use the same .pfx file with the installation of IQ Bot.

  6. Run the following command to import the certificate in the Java keystore:
    keytool.exe -import -alias dev -keystore "C:\Program Files
    (x86)\Java\jre1.8.0_91\lib\security\cacerts" -file "D:\cert\xyz.com.crt"

    Based on the type of operating system 32-bit / 64-bit, this C:\Program Files (x86)\Java\jre1.8.0_91\lib\security\cacerts directory can differ.

    If the certificate is not imported in the Java keystore, then Control Room shows the following error message: Java security certificate path validator signature check failed.

  7. Go to %installation_dir%\Configurations and run stopanduninstallallservices.bat as an administrator.
  8. Go to %installation_dir%\Configurations and run installandstartervices.bat as an administrator.
  9. Import the cert.crt file to the Trusted Root using the Microsoft Management Console (MMC).