Security

last person joined: 20 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Creating a CSR with multiple SAN options

This thread has been viewed 17 times
  • 1.  Creating a CSR with multiple SAN options

    Posted Aug 21, 2013 11:44 AM

    All,

     

    Is it possible to put multiple entries into the SAN field when generating a CSR? I tried entering "DNS:clearpass1.mydomain.org, IP:10.20.100.170" and it threw an error. I'm not sure what the delimiter is between the various SAN entries.

     

    I'm trying to create a CSR for a VIP that references the publisher and subscriber IPs and FQDNs. I've been told this is the best way to handle certs in CPPM in case of a failover and / or the promotion / demotion of Publishers and Subscribers.

     

    Eventually, all of us will have dumped so many questions in this forum that it's going to be a great wiki! Also, it keeps cjoseph on his toes!

     

    Thanks!

     

    -Mike



  • 2.  RE: Creating a CSR with multiple SAN options
    Best Answer

    EMPLOYEE
    Posted Aug 21, 2013 11:55 AM

    I believe there is no spaces. 

     

    DNS:cplab.clearpassdemo.com,IP:10.80.2.200

     

     



  • 3.  RE: Creating a CSR with multiple SAN options

    Posted Aug 21, 2013 01:15 PM

    Troy,

     

    Worked like a charm - thanks!

     

    -Mike



  • 4.  RE: Creating a CSR with multiple SAN options

    Posted Aug 21, 2013 11:24 PM

     

    @boston1630 wrote:

    .... I've been told this is the best way to handle certs in CPPM in case of a failover and / or the promotion / demotion of Publishers and Subscribers....

     


     

    I'm curious if you have more information that you (or someone else) can share on why this was recommended.  Is it just a recommended practice or is there a real technical explanation behind it?  Thanks.....

     

     

     

     



  • 5.  RE: Creating a CSR with multiple SAN options

    Posted Aug 22, 2013 12:35 AM

    Hi clembo,

     

    I have been told by the local SE and the local CPPM engineer that this is recommended for SSL connections to the Virtual IP service in a Publisher / Subscriber setup.

     

    I've had a customer set it up on their own - I'm going to be rocking it out at a different customer site next week. I'll let you know how it goes.

     

    -Mike



  • 6.  RE: Creating a CSR with multiple SAN options

    EMPLOYEE
    Posted Aug 26, 2013 12:52 AM


  • 7.  RE: Creating a CSR with multiple SAN options

    Posted Oct 17, 2022 01:55 PM
    Hi All,

    Bringing up an old post here...

    If at SAN field I use FQDN only, does the Subscriber need to be able to resolve the FQDN of the Publisher (to be able to form cluster aka Make Subscriber) ?

    For example I use "DNS:cp-pub1.abc.com"

    And:
    - does the hostname need to be the same as the FQDN at SAN field ?
    - does the CN need to be the same as the FQDN at SAN field ?


  • 8.  RE: Creating a CSR with multiple SAN options

    EMPLOYEE
    Posted Oct 17, 2022 11:01 PM
    Just as old as this post is the certificates 101 document here:  https://support.hpe.com/hpesc/public/docDisplay?docId=a00100345en_us
    Why you would make a SAN field is to ensure that a Captive Portal User will not get an error no matter what ClearPass Box answers the https request.  The publisher and subscriber have nothing to do with SANs.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------