1. why is this thread in Controllerless Networks? That's completely the wrong forum and I cannot remember that I posted that here?!
We do not have a controllerless network at all. We run 25 iaps managed by Aruba Instant.
2. I wouldn't mind Instant and captive portal using the same cert if it works. In fact i don't think it does.
3. There IS such option in instant webinterface. You can up a cert for instant and you can up a cert for captive portal. If this really is not supported why then is this there?
4. I do not use FQDNs here at all (execpt captive portal does). I access instant via management IP. This is one central ip which always knows where the vc is on and forwards to that iap's ip. That is why the iap needs a cert itself (or we would need a wildcard even).
5. We only use internal ips not public ones and generate die certificates using our own internal ca since this is not intended for public access at all.
6. Anyhows since one RFC the Common Name is no more state of the art and is already no longer evaluated in several browsers due to that (like Chrome and Chromium). This RFC requires the use of subject alternate name (SAN) in your certs to make them valid for those.