How to define more than one DNS in Subject Alternative Name(SAN) when creating CSR in ClearPass?

By esupport posted Oct 30, 2015 05:44 AM


What is the best way to define multiple DNS entries in Subject Alternative Name when creating CSR(certificate signing request)?


Consider that you have a requirement to use single SSL certificate on two ClearPass nodes in same cluster with VIP enabled between both the nodes.


For ex:

We need a certificate that should be trusted for three different DNS/URLs which will be resolved to both the nodes management IPs and Virtual IP. 

VIP resolves to >>

node1 mgmt IP resolves to >>

node2 mgmt Ip resolves to >>


You can define multiple DNS entries in SAN, so that the certificate trust will be extended to more than one fully qualified domain names. 


Please follow the below format to define multiple DNS entries in SAN.,,



  • Please use fully qualified domain names in CN/SAN when you generate CSR, because the public certificate authorities will not accept any local domain name or alias effective from 1st NOV, 2015.
  • DNS name should be specified with ":" and separated with comma by leaving no space between 2 entries as shown above.
  • Repeat the CN(certificate common name) in SAN along with the other DNS entires.



To create a new CSR with multiple DNS entries in SAN,

login to ClearPass policy manager UI and  navigate to Administration >> Certificates >> Server Certificate >> Create Certificate Signing Request and create a CSR with SAN entries as shown below.





Submitting the CSR request will let you to download the generated CSR and private key files. Download both the files and send the CSR file alone to the certificate authority to get it signed.


The signed certificate can be installed by navigating to Administration >> Certificates >> Server Certificate >> Import Server Certificate.

Note: The certificate import/install has to be done on Publisher. You can select the subscribers from the drop down "Select Server" in the same page and repeat the certificate installation.


Please find below the SAN entries from the signed/installed certificate on ClearPass for your reference.




1 view


Nov 15, 2017 10:34 PM

Many thanks Tim!

Nov 15, 2017 10:32 PM

The common name must also be a SAN entry.

Nov 15, 2017 10:25 PM

Is it possible that I don't put SAN names but only CN name instead. This is because I don't want to expose my internal network information to end user.

Nov 06, 2015 09:10 AM

Yo can also do this using openssl from the cli by "tweaking" the openssl config file, which is how I do it