@cappalli wrote:
Just an FYI (it will save you a bunch of money), the EAP server certificate only needs a single, generic name for the common name (and is automatically populated to the SAN). Ex: secure-login.yourdomain.com
A quick question on this.. I'm researching certificates to help carry a customer through their CPPM upgrade.
If we're referring to the EAP certificate, wouldn't public certificate validation fail without the use of SAN entries?
For example:
clearpass.domain.com -> Not resolvable
Server 1 -> server1.domain.com -> 10.0.0.1
Server 2 -> server2.domain.com -> 10.0.0.2
Server 3-> server3.domain.com -> 10.0.0.3
I would think the SAN entries would be needed for validation to pass.
My original thought was to have something more akin to the following:
server1.domain.com -> 10.0.0.1
DNS: server2.domain.com, DNS: server3.domain.com
server2.domain.com -> 10.0.0.2
DNS: server1.domain.com, DNS: server3.domain.com
server3.domain.com -> 10.0.0.3
DNS: server1.domain.com, DNS: server2.domain.com