Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
581
Views
0
Helpful
3
Replies

Configuring SSL - what hostname?

Sonny Wyatt
Level 1
Level 1

‎12-13-2015 06:57 PM

Howdy,

We are running WSA's and have three interfaces configured, management and two interfaces for web traffic.

The management interface is called: wsa_name.domain.com

P1 is called: wsa_name-inside.domain.com

P2 is called: wsa_name-outside.domain.com

M1 is limited to just management services. P1 is where users connect to via WPAD and P2 connects to the outside world.

My questions is, when I create an SSL certificate for the hosts to enable SSL decryption, what hostname do I use? Is it the management interface name or is it P1's name? I remember reading somewhere that if you get it wrong, it mostly still works but transparent authentication can get muddled up.

Labels:
0 Helpful
3 Replies 3

Dennis Mink
VIP Alumni
VIP Alumni

‎12-13-2015 07:07 PM

which host name will be used to connect?  both?

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

Sonny Wyatt
Level 1
Level 1
In response to Dennis Mink

‎12-13-2015 07:14 PM

M1 is restricted to management services only.

P1 is where clients will connect to.

P2 is not accessible for client connectivity.

I'm not sure if I use the M1 hostname (which is the same as the WSA hostname) or P1 hostname. M1 handles authentication services back to active directory so was thinking that was the right one -would I then use FQDN in the SSL common name or just short name?

0 Helpful

Chris Illsley
Level 3
Level 3

‎12-31-2015 05:25 AM

Hi Sonny,

The hostname isn't an issue, from someone cleverer than me, Ken Stieers:

It has to be a root signing cert in a chain that your workstations will trust... Standard server certs just say "I'm server x", they can't sign certs saying server Y really is server Y...

On the WSA, its creating certs on the fly like a root authority would, one for each https site you're hitting.

 

 

You have 3 options:

1.Buy a root cert...  http://www.sslshopper.com/article-trusted-root-signing-certificates.html (this can be super expensive)

2.If you're in an MS world, install an Enterprise CA using MS Cert Server (your clients will automatically trust it), generate a root signing cert from it, and put that on the WSA (or grab its root cert and put that on the WSA).

3. Download the Ironport cert and deploy it to all of your clients.

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents