11-17-2010 03:09 PM - edited 02-21-2020 04:09 AM
We have had third part certs generated for the CAS and the CAM and these have installed OK, along with the relevant root and intermediate certificates, and the CAS/CAM are communicating fine.
However when a user is redirected to the authentication page, the url generated is using the CN from the certificate..
https://al-nac.sitename.local.companyname.co.uk/auth/perfigo.......etc.
However the machine cannot resolve the url.
We cannot add dns entries for this url, we only administer the sitename.local domain.
Is there a way for the CAS to request the user to access a URL via an IP address?
If I requested a new certificate, but use the IP address instead of the machine name, would the auhentiation page be referenced by this?
Regards
Tony
Solved! Go to Solution.
11-18-2010 06:22 AM
Hi Tony,
Are these just for internal users? If so, you may be better off with something like a internally generated cert (like from Microsoft CA) rather than an external one. I don't believe they'll do IP address-based certs, either.
Thanks,
Lauren
11-18-2010 06:26 AM
Hi Tony,
Most third party CAs will not issue certificates to IP addresses because they can not verify that you own that IP address. Same with internal domain names like it seems you may be using. They can probably only verify the domain name of "company.co.uk" so they have to issue a cert to that name space.
If your clients can't resolve that full name, then you'll likely need to set up an internal CA to issue a certificate to either the local IP address or local hostname.
Thanks,
Nate
11-17-2010 06:44 PM
Tony,
This is correct. The redirect will happen to whatever the CN is set to, so if you set the cert's CN to an IP address, the redirect will happen to that IP address.
HTH,
Faisal
--
If you find this post helpful, please rate so others can find the answer easily
11-17-2010 11:30 PM
I'll give our certificate issuer a call this morning,however I'm sure they mentioned in the past they need a resolvable name to generate the certificate?
As when we asked for certificates for al-nam.sitename.local they have been unable to generate them, hence the CN=al-nac.sitename.local.company.co.uk
Is this the same for generating certificates against IP addresses?
Regards
Tony
11-18-2010 06:22 AM
Hi Tony,
Are these just for internal users? If so, you may be better off with something like a internally generated cert (like from Microsoft CA) rather than an external one. I don't believe they'll do IP address-based certs, either.
Thanks,
Lauren
11-18-2010 06:26 AM
Hi Tony,
Most third party CAs will not issue certificates to IP addresses because they can not verify that you own that IP address. Same with internal domain names like it seems you may be using. They can probably only verify the domain name of "company.co.uk" so they have to issue a cert to that name space.
If your clients can't resolve that full name, then you'll likely need to set up an internal CA to issue a certificate to either the local IP address or local hostname.
Thanks,
Nate
11-18-2010 08:05 AM
Thanks for all the replies. I'm going to have to go down the route of an internal CA - another can of worms!
Many thanks
Tony
PS. Nate, this is one of your SR's
11-18-2010 08:22 AM
Tony,
Another data point which might or might not be helpful. I've had cases with customers before where DigiCert has given out certificates signed for IP addresses - so it does happen, not with all CAs though.
HTH,
Faisal
--
If you find this post helpful, please rate so others can find the answer easily
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide