To obtain a certificate from the CA (Certificate Authority), you must generate a CSR (Certificate Signing Request). Later, you can replace the default, self-signed certificate, which is installed when installling App Volumes Manager, with the CA-signed certificate.

To generate a CSR, a config (.cfg ) file must be created which is used as one of the parameters in the openssl command.

Alternately, you can also create a custom self-signed certificate and later use this certificate to replace the default, self-signed certificate. For more information, see Generate a Custom Self-Signed Certificate.


  1. Create and name a text file as <config_file_name>.cfg.
  2. Make note of the file location.
    You need this file to generate a CSR.
  3. Open the configuration (<config_file_name>.cfg) file in a text application and add the following settings:
    • You can add custom values to these settings, however ensure that you use only digitalSignature, keyEncipherment, dataEncipherment for the keyUsage setting and serverAuth, clientAuth to extendedKeyUsage.
    • It is mandatory to provide the commonName, but optional to provide emailAddress.
    [ req ]
    default_bits = 
    default_keyfile = 
    distinguished_name = 
    encrypt_key = 
    prompt = 
    string_mask = 
    req_extensions = 
    [ v3_req ]
    basicConstraints = 
    keyUsage = digitalSignature, keyEncipherment, dataEncipherment
    extendedKeyUsage = serverAuth, clientAuth
    subjectAltName = 
    [ req_distinguished_name ]
    countryName = 
    stateOrProvinceName = 
    localityName = 
    organizationName = 
    emailAddress = 
    commonName = 
    For example: Here is a sample config_file_name.cfg file:
    [ req ]
    default_bits = 2048
    default_keyfile = svserver.key
    distinguished_name = req_distinguished_name
    encrypt_key = no
    prompt = no
    string_mask = nombstr
    req_extensions = v3_req
    [ v3_req ]
    basicConstraints = CA:FALSE
    keyUsage = digitalSignature, keyEncipherment, dataEncipherment
    extendedKeyUsage = serverAuth, clientAuth
    subjectAltName = DNS: appvolumemanager, IP:,
    [ req_distinguished_name ]
    countryName = US
    stateOrProvinceName = California
    localityName = Palo Alto
    organizationName = VMware, Inc.
    emailAddress =
    commonName =
  4. To generate the CSR, run the following command: openssl req -new -newkey rsa:2048 -nodes -out <csr_name>.csr -keyout <key_name>.key -config <config_file_name>.cfg.
    The following two files are generated as outputs: <csr_name>.csr and <key_name>.key.
  5. Provide the <csr_name>.csr file to the Certificate Authority and obtain the certificate (.crt) in PEM format (base64).
    If the certificate obtained is in the P7B format, perform the following steps:
    1. Ensure that when you open the certificate, the following sections are visible: Root, Intermediate, and Certificate.
    2. Export each certificate in PEM (base64) format.
    3. Using a text application, create a <certificate_name>.crt file.
    4. Copy the Root, Intermediate, and Certificate sections into the <certificate_name>.crt file.

What to do next

Replace the App Volumes Default Self-Signed Certificate