Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Certificate Question : Two CPPM each in different locations using different VLANs

This thread has been viewed 4 times

  • 1.  Certificate Question : Two CPPM each in different locations using different VLANs

    Posted May 01, 2014 10:28 AM

     

    No VIP

     

    When I generate the CSR should it look like this :

     

    CN:

    cppm1.cppm.test.com

     

    DNS:

    cppm2.cppm.test.com,

    IP:

    10.2.100.101,

    IP:

    10.2.101.1102,

     



  • 2.  RE: Certificate Question : Two CPPM each in different locations using different VLANs

    EMPLOYEE
    Posted May 01, 2014 10:32 AM

    Check out the document here:  http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=13734

     

    I think you are looking for a clustered deployment.



  • 3.  RE: Certificate Question : Two CPPM each in different locations using different VLANs

    Posted May 01, 2014 10:40 AM

    Thanks Colin,  so I guest it shouldn't matter if the SAN is FDQN is attached to a different IP address ?

     

    CN:CPPM1.testing.com

     

    SAN:

    DNS:CPPM2.testing.com

    IP:10.2.100.200



  • 4.  RE: Certificate Question : Two CPPM each in different locations using different VLANs
    Best Answer

    EMPLOYEE
    Posted May 01, 2014 10:46 AM

    If you are using the same certificate for two different boxes, all their ip addresses and DNS names need to be in there.

     

    "SAN – Subject Alternate Name

    The subject alternative names (SubjectAltName) extension allows one SSL certificate to be used to secure one Web server with multiple names (such as a different DNS name, IP address or URI). Alternatively, the SubjectAltName extension can be used to secure up to two virtual Web servers using the same SSL certificate. "

     

    "It is imperative that we configure the system with a Fully-Qualified-Domain-Name (FQDN). I’ve intentionally made an error to highlight that if you want to use a Subject Alternate Name (SAN) attribute in the certificate creation it must begin with uppercase DNS, IP or URI not lowercase letters. Multiple SAN’s entries can be entered comma delimited and there can be a mix of DNS and IP values."

     

     



  • 5.  RE: Certificate Question : Two CPPM each in different locations using different VLANs

    Posted May 01, 2014 10:52 AM

     

    Thanks for the confirmation



  • 6.  RE: Certificate Question : Two CPPM each in different locations using different VLANs
    Best Answer

    EMPLOYEE
    Posted May 01, 2014 11:45 AM
    Remember if you use the San field the cn field is ignored so you need to put both fqdns in the San field

    Cn=server1
    San= server1, server2, ip1, ip2

    The ips are optional. You only need them if you don't use dns on all redirects.


  • 7.  RE: Certificate Question : Two CPPM each in different locations using different VLANs

    Posted May 01, 2014 12:51 PM

    Victor,

     

    Did we not cover this in email yesterday, or is this a different opportunity? ..... as Colin points out take a look at my CPPM PKI 101 Guide.

     

     



  • 8.  RE: Certificate Question : Two CPPM each in different locations using different VLANs

    Posted Jun 12, 2014 01:43 AM
    If I redo my public certificate and add a 2nd server using the San field. Will this cause 802.1x clients to present error upon next connect because certificate has changed?


  • 9.  RE: Certificate Question : Two CPPM each in different locations using different VLANs

    EMPLOYEE
    Posted Jun 12, 2014 07:46 AM
    Unless you use a supplicant configuration utility to configure your clients, they will most likely be prompted to accept the new certificate.