Security

All,

 

Is it possible to put multiple entries into the SAN field when generating a CSR? I tried entering "DNS:clearpass1.mydomain.org, IP:10.20.100.170" and it threw an error. I'm not sure what the delimiter is between the various SAN entries.

 

I'm trying to create a CSR for a VIP that references the publisher and subscriber IPs and FQDNs. I've been told this is the best way to handle certs in CPPM in case of a failover and / or the promotion / demotion of Publishers and Subscribers.

 

Eventually, all of us will have dumped so many questions in this forum that it's going to be a great wiki! Also, it keeps cjoseph on his toes!

 

Thanks!

 

-Mike

I believe there is no spaces. 

 

DNS:cplab.clearpassdemo.com,IP:10.80.2.200

 

 

Troy,

 

Worked like a charm - thanks!

 

-Mike

 

@boston1630 wrote:

.... I've been told this is the best way to handle certs in CPPM in case of a failover and / or the promotion / demotion of Publishers and Subscribers....

 

---

 

I'm curious if you have more information that you (or someone else) can share on why this was recommended.  Is it just a recommended practice or is there a real technical explanation behind it?  Thanks.....

 

 

 

 

Hi clembo,

 

I have been told by the local SE and the local CPPM engineer that this is recommended for SSL connections to the Virtual IP service in a Publisher / Subscriber setup.

 

I've had a customer set it up on their own - I'm going to be rocking it out at a different customer site next week. I'll let you know how it goes.

 

-Mike

Add a new post. Hope this helps explain a few things.....

http://community.arubanetworks.com/t5/ClearPass-formerly-known-as/Certificate-Issues-Questions/td-p/94444

Hi All,

Bringing up an old post here...

If at SAN field I use FQDN only, does the Subscriber need to be able to resolve the FQDN of the Publisher (to be able to form cluster aka Make Subscriber) ?

For example I use "DNS:cp-pub1.abc.com"

And:
- does the hostname need to be the same as the FQDN at SAN field ?
- does the CN need to be the same as the FQDN at SAN field ?
Original Message:
Sent: Aug 21, 2013 11:43 AM
From: Mike Courtney
Subject: Creating a CSR with multiple SAN options

All,

 

Is it possible to put multiple entries into the SAN field when generating a CSR? I tried entering "DNS:clearpass1.mydomain.org, IP:10.20.100.170" and it threw an error. I'm not sure what the delimiter is between the various SAN entries.

 

I'm trying to create a CSR for a VIP that references the publisher and subscriber IPs and FQDNs. I've been told this is the best way to handle certs in CPPM in case of a failover and / or the promotion / demotion of Publishers and Subscribers.

 

Eventually, all of us will have dumped so many questions in this forum that it's going to be a great wiki! Also, it keeps cjoseph on his toes!

 

Thanks!

 

-Mike

Just as old as this post is the certificates 101 document here:  https://support.hpe.com/hpesc/public/docDisplay?docId=a00100345en_us
Why you would make a SAN field is to ensure that a Captive Portal User will not get an error no matter what ClearPass Box answers the https request.  The publisher and subscriber have nothing to do with SANs.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
------------------------------

Original Message:
Sent: Oct 17, 2022 01:54 PM
From: BERNHARD HUSTOMO
Subject: Creating a CSR with multiple SAN options

Hi All,

Bringing up an old post here...

If at SAN field I use FQDN only, does the Subscriber need to be able to resolve the FQDN of the Publisher (to be able to form cluster aka Make Subscriber) ?

For example I use "DNS:cp-pub1.abc.com"

And:
- does the hostname need to be the same as the FQDN at SAN field ?
- does the CN need to be the same as the FQDN at SAN field ?
Original Message:
Sent: Aug 21, 2013 11:43 AM
From: Mike Courtney
Subject: Creating a CSR with multiple SAN options

All,

 

Is it possible to put multiple entries into the SAN field when generating a CSR? I tried entering "DNS:clearpass1.mydomain.org, IP:10.20.100.170" and it threw an error. I'm not sure what the delimiter is between the various SAN entries.

 

I'm trying to create a CSR for a VIP that references the publisher and subscriber IPs and FQDNs. I've been told this is the best way to handle certs in CPPM in case of a failover and / or the promotion / demotion of Publishers and Subscribers.

 

Eventually, all of us will have dumped so many questions in this forum that it's going to be a great wiki! Also, it keeps cjoseph on his toes!

 

Thanks!

 

-Mike