Security

Reply
Occasional Contributor I

Still confused with multiple SAN entries for cert

Hello all, 

 

Here is my scenario: I have a production Clearpass server and will be adding another using a VIP. I need to order a new 3rd party cert that references both servers. When creating the CSR do I need to reference the VIP FQDN and IP or just Server1 and Server2 FQDN and IP's?

 

For example:

 

CN: cppm.xxx.com

SAN:DNS:cppm01.xxx.com,DNS:cppm02.xxx.com,IP:10.17.2.31,IP:10.17.2.32

 

or like this with the VIP in the SAN:

 

CN: cppm.xxx.com

SAN:DNS:cppm.xxx.com,DNS:cppm01.xxx.com,DNS:cppm02.xxx.com,IP:10.17.2.30,IP:10.17.2.31,IP:10.17.2.32

 

Hope that makes sense, thanks for your help.

Aruba

Re: Still confused with multiple SAN entries for cert

If you redirect by IP then you should add the IPs but most do not. They would point to the URL.

For a two server you can just put the 3 FDQNs in the SAN entry.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Aruba

Re: Still confused with multiple SAN entries for cert

Sorry forgot to add

Server 1 FDQN
Server 2 FDQN
VIP FDQN
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Aruba

Re: Still confused with multiple SAN entries for cert

Couple other notes.

1. There is a cert 101 doc on the support site.

2. Most 3rd party CA have SAN certs that usually have them in a 5 SAN entry bundle. I would fill in all 5 so you dont have to reissue the certs if you add any additional CPPMs.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor I

Re: Still confused with multiple SAN entries for cert

Thank you for the input. We redirect via URL so I'll drop the IP's.
Moderator

Re: Still confused with multiple SAN entries for cert

Todd,

 

Please do read my TechNote on CPPM PKI 101.... it covers your  usecase and a lot more.

CPPM - Certificates 101 Technote V1.0 .pdf

 

 


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: