Security

Hello all, 

 

Here is my scenario: I have a production Clearpass server and will be adding another using a VIP. I need to order a new 3rd party cert that references both servers. When creating the CSR do I need to reference the VIP FQDN and IP or just Server1 and Server2 FQDN and IP's?

 

For example:

 

CN: cppm.xxx.com

SAN:DNS:cppm01.xxx.com,DNS:cppm02.xxx.com,IP:10.17.2.31,IP:10.17.2.32

 

or like this with the VIP in the SAN:

 

CN: cppm.xxx.com

SAN:DNS:cppm.xxx.com,DNS:cppm01.xxx.com,DNS:cppm02.xxx.com,IP:10.17.2.30,IP:10.17.2.31,IP:10.17.2.32

 

Hope that makes sense, thanks for your help.

If you redirect by IP then you should add the IPs but most do not. They would point to the URL.

For a two server you can just put the 3 FDQNs in the SAN entry.

Sorry forgot to add

Server 1 FDQN
Server 2 FDQN
VIP FDQN

Couple other notes.

1. There is a cert 101 doc on the support site.

2. Most 3rd party CA have SAN certs that usually have them in a 5 SAN entry bundle. I would fill in all 5 so you dont have to reissue the certs if you add any additional CPPMs.

Thank you for the input. We redirect via URL so I'll drop the IP's.

Todd,

 

Please do read my TechNote on CPPM PKI 101.... it covers your  usecase and a lot more.

CPPM - Certificates 101 Technote V1.0 .pdf