05-11-2015 05:54 AM - edited 03-13-2019 08:58 PM
Hi,
I want to sign an Expressway-E CSR with a public CA. As per Cisco (and other) documentation and guides my current CSR has 5 SANs (Subject Alternative Names.
My customer is currently using GoDaddy which happily throws away the requested SANs and replaces them with host.domain.com and www.host.domain.com. Not really what I requested. GoDaddy does have separate form where you can fill out extra SANs up to a maximum of 4 SANs. Still not enough for an Expressway.
Can anybody recommend a good public CA which honors the actual CSR and/or supports 5+ SANs? Also good/bad experiences with public CAs in combination with Expressway-E is highly welcome.
Thank you for your feedback,
-Danny
05-11-2015 11:31 AM
I personally havent had any issues with GoDaddy and they have issued the correct SANs. Sometimes the reason the SAN is not coming through is if you have a domain that is not publicly registered eg. domain.local or domainint.com. In those cases, most CAs disregard the SANs.
05-27-2015 03:21 AM
I had a problem with GoDaddy because they didn't allow a "duplicate" FWDN (CN + SAN). Which is strange because it is the usual way to insure backwards compatibility which checking for names inside the certificate.
I should note that the FQDN of the server MUST be in the SAN list because RFC6125 specifies that a client is not allowed the parse the CN field if SAN entries are present. In the future the CN field will be deprecated.
I now signed with GeoTrust because they allow changes and addition to the SAN list for the lifetime of the certificate. This should cover any development changes in the Expressway setup. I don't think GoDaddy has such a service.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: