10-22-2019 10:54 AM
We are trying to get public certs for a clustered MRA deployment. (Two Cores and two Edge servers). The Public CA indicates they will not allow company.com as a SAN. This is the registrations domain being used.
Any idea how we can get around this?
10-22-2019 11:02 AM
Does your customer own the domain you are trying to sign the cert for? If so, what reason is the CA giving you?
10-22-2019 11:24 AM
The customer does own the domain.
I am trying to find out the reason given. They did indicate they could combine both Expressway-Es on the same cert and then add mclaneco.com. I am not a certificate guy, so I am not sure what they are meaning there.
I am thinking since this is a cluster, I cannot have the two devices using the same cert.
10-22-2019 12:00 PM
Expressway C and E are not clustered together, Cs are one cluster, and Es are another, you only need publicly signed cert for your Expressway E cluster. Here is link to Expressway cert guide in case you have not seen it:
10-22-2019 01:36 PM
Sorry for the confusion. I am clustering only my Expressway-Es and then I have another cluster for the Expressway-Cs.
My problem is just with the certificates for the Exp-Es.
10-22-2019 03:12 PM
Did you get a chance to review the doc?
For clustered environment here are important snippets:
Server Certificates and Clustered Systems
When a CSR is generated, a single request and private key combination is generated for that peer only.If you have a cluster of Expressways, you must generate a separate signing request on each peer. Those requests must then be sent to the certificate authority and the returned server certificates uploaded to each relevant peer.
You must ensure that the correct server certificate is uploaded to the appropriate peer, otherwise the stored private key on each peer will not correspond to the uploaded certificate.
If the Expressway is clustered, with individual certificates per Expressway:
10-22-2019 10:27 PM
Hello,
Adding one more point in @Chris Deren
If they are not adding only domain in SAN then you can use _collab-edge with domain entry.that will also serve the same purpose for MRA.
Thanks
Please rate if it is helpful...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide