Hi,
Sorry to rehash yet another old post. I figured it would be better then creating a new post.
I was reading @tarnold's post here: Certificate Issues/Questions
And due to my severe lack of understanding of Certificate's and lack of experience with CPPM in a cluster environment I wanted to see if I have once again misunderstood what is possible.
In our environment we have two CPPM's. They are in two difference physical locations and in different VLANs. However, there is a connection between the two locations so the CPPM's will be able to talk to one another. They are currently not clustered.
What we had planned to do was to modify the DNS at each location to cause the clients to hit the CPPM local to the location they were at.
Location A
Server Hostname: cppm1.demosite.com
DNS entry for CPPM: wireless.demosite.com; x.x.y.x <----- used by all users and devices to communicate with the CPPM
Location B
Server Hostname: cppm2.demosite.com
DNS entry for CPPM: wireless.demosite.com; x.x.y.x <----- used by all users and devices to communicate with the CPPM
We do not intend to use the server hostnames to access to CPPM's. Instead we will use a common DNS name (wireless.demosite.com).
We had ran into the error mentioned in @tarnold's post in a previous test environment. Through our tests we discovered that the the CPPM take's the URL used to access the CPPM and the CN value defined within the cert. If these two items match then you will not receive the error.
So it was our assumption that we could just use DNS as mentioned above. The same commercial certificate would be loaded on both CPPM servers and all would be well. But after reading the post now I am not so sure.
Within our commercial certificate we made no reference to the IP's of the CPPM's themselves nor the hostname of the individual servers. But in the examples provided each CPPM is individually defined.
We currently have our commercial cert. installed on one of our CPPM's and it is fully functional. We are able to Onboard Apple devices without issue and do no receive the error mentioned in @tarnold's post. My fear though is that when we do eventually cluster the two CPPM's together and replace the cert currently installed on the CPPM at location B that we may run into issues.
Will a properly defined DNS entry be enough to get everything working?
Since everything is working already, I don't see why it wouldn't because the only thing that is changing is the IP of the CPPM in the DNS entry. But I also don't have any real experience with a CPPM cluster!
Thank you,
Cheers