01-25-2016 01:48 AM - edited 03-19-2019 10:38 AM
Hi
We are looking to implement expressway clustering and I have read the line below (from the guide) several times and I still can't figure it out:
"This is achieved by including in the subject alternative names of the Expressway-C certificate the FQDNs of the Expressway-C cluster nodes and by setting the TLS verify subject name equal to the FQDN of the Expressway-C cluster"
I think they are trying to say that I need to generate a certificate for each Exp-C cluster node and include in the SAN, the Exp-C cluster name?
So I create a cert for Exp-C-Node-1 and in this cert I have a SAN entry for exp-c-cluster-1.domain.com.
Right?
I then use the FQDN of the cluster in the Exp-E TLS verify subject name and this will work because the Cert the Exp-E receives from the Exp-C will include this FQDN in its SAN?
Ta
01-25-2016 08:14 AM
If you go to your server and try to generate the CSR, I'm guessing this will be a lot clearer to you, once you see the options in there.
01-25-2016 11:52 AM
When you generate the CSR you will have a dropdown option that gives you the option of local FQDN or cluter and peers FQDNs (or something worded like that). Create your cluster first and add/verify all peer connections prior to generating the CSR.
Also, for more information check out the Certificate Generation Guide for VCS/Expressway on cisco.com. It is a good resource for this and explains it in more detail.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide