Security

Reply
Contributor II
Posts: 90
Registered: ‎12-06-2014

3rd party SAN cert

Gang, I need a server cert so windows machines can access the SSID to onboard. I believe it needs to be a SAN cert according to your cert 101 paper. If its 3rd party, does it need to be a registered domain? All the san entries are for a non-registered domain. Ideas? 

Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: 3rd party SAN cert

A public CA will only issue certificates to domains you own.


Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 90
Registered: ‎12-06-2014

Re: 3rd party SAN cert

Yes, the domain is not registered; internal domain. So for my situation needing a 3rd party cert, what do you suggest? 

Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: 3rd party SAN cert

You can contact the CA and ask if they'll add a private domain, but the answer is likely no.

Keep in mind that the RADIUS server certificate for 802.1X does not have to be a real DNS name.

You could do auth.public-domain.com even though that may not exist in DNS. It is simply presented to the user to verify the server's identity.


The other option is to use a private cert and distribute the CA cert to clients.

Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 90
Registered: ‎12-06-2014

Re: 3rd party SAN cert

ok, so a SAN cert is not needed and I could use one of my regestered domains for this? 

 

Would a wildcard cert suffice? 

Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: 3rd party SAN cert

If you're using this certificate just for 802.1X and not the web interface, then yes, you can use a single domain certificate and upload it to all of your CP servers.

Wildcard certificates should not be used as a RADIUS server certificate but can be used on the web side.

Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 90
Registered: ‎12-06-2014

Re: 3rd party SAN cert

Ok one last question and Im out-of-your-hair. Yes this is for 802.1x windows server validation only. I will request 1 cert from my 3rd party CA. What should be in the subject line, meaning, I dont want to specify my CPPM hostname or I wont be able to use it on both CPPM servers right?

 

I dont have a VIP, just 2 CPPM Nas. Do I need a different cert for both and both will have the each CPPM hostname in cert subject/CN? 

Guru Elite
Posts: 21,272
Registered: ‎03-29-2007

Re: 3rd party SAN cert

If you want a server for 802.1x only, it should have the hostname of the server that it is on, period.  You would mainly get involved with SANs when you want to have webauth and have multiple servers trusted as the same server.  You don't have that issue with 802.1x.  The name should be the hostname of the server.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: 3rd party SAN cert

  • If you're using a certificate for both the web interface and RADIUS, you will need a multi-domain / UCC certificate with the real DNS name of the VIP as the common name and the server DNS names as the SAN
  • If you're using separate certificates for the web interface and RADIUS, the web server certificate will need the real DNS names of the servers and VIP, while the RADIUS server can be any FQDN.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 90
Registered: ‎12-06-2014

Re: 3rd party SAN cert

[ Edited ]

Guys, so i created a 3rd party cert for the 2 CPPM servers. The servers are server.internaldomain.local. But I generated the certs as server.externaldomain.com becouse the 3rd party CA wont create certs for non-registered domains. No when non-domain windows systems connect to the SSID they get the below error. Any advice on how to resolve this? 

Search Airheads
Showing results for 
Search instead for 
Did you mean: