Yes its annoying that there isn't any option to add a SAN from the switch, that is still true of the latest code released for the 2930F.
Have you tried something like this below? It maybe a bit long winded but potentially could be done - whilst I've not done it, I'd be interested if you succeed!
Need to ask the option to Innovate platform ! ( https://innovate.arubanetworks.com/ )
If you are pulling in external tools, it may make sense to use an external tool like openssl to generate the keypair and CSR with that tool instead of using the switch.
Benefit is that you can probably create the multiple keypairs and CSRs in a single run, instead of needing to generate those on each switch. When you have the certificates signed, you can upload them with the key to the switch. An exception could be if you require the key to be generated and never leave the switch. On the other hand, if you run the process externally, you have a backup of the key material.
It is a matter of personal preference though.
For larger deployments, you may have a look if EST (Enrollment over Secure Transport) may be a better way to get certificates on your switches.
Yes, I did start to look at EST, although Microsoft Certificate Authority doesnt support this out of the box by the looks of it, so that could be a pain.
However EST seems to be supported now (16.09 on the 2930F at least), I'd be really interested if anyone has managed to get this up and working?
https://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na-a00076262en_us-1.pdf - Chapter 33 of ASG for 16.09
@redford1980 wrote:I didn’t think that would work for these switches? The CSR created on the switch needs to be the one which is signed ... I’ve tried creating the CSR in a Windows environment, signing it then importing the CSR and signed cert into the switch - it just moans because the original CSR wasn’t used.Happy to try OpenSSL if you think it could be different than the above?
You need also to import private key for the "openssl" CSR...
I generated a CSR on the switch using the identifty profile with all the subject information, including the FQDN of the switch as the CN. I then copied and pasted the CSR into the MS CA and added the SAN fields in the attibutes box as follows:san:dns=dns.name[&dns=dns.name]
Here is more info: https://support.microsoft.com/en-us/help/931351/how-to-add-a-subject-alternative-name-to-a-secure-ldap-certificate
I then uploaded the cert to the switch for whatever use I need it for.
Make sure your CA is in the trust list for your browser.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.