Certificates for DNS Name (high availability)

Answered Question
Apr 29th, 2010
User Badges:

Hi all,


we have CAM and CAS in HA mode. we need to generate CSR but I have some cofusion about the DNS name.

network setup is like this


hostname name      IP address

============     ========

CAM01                  192.168.0.8

CAM02                  192.168.0.9

                             192.168.0.10 (virtual ip address)

CAS01                   172.30.1.8

CAS02                   172.30.1.9

                             172.30.1.10  (virtual ip address)


all hostnames are already registered in local dns, and all devices are pingable with FQDN eg. CAM01.test.com, CAM02.test.com


and which host name should I use during the CSR?


thank you

Correct Answer by Faisal Sehbai about 6 years 11 months ago

Laxman,


Wireless IB guides: http://tinyurl.com/2ef2kk Look at chapter 3 for design considerations.


HTH,

Faisal

Correct Answer by Faisal Sehbai about 6 years 11 months ago

Hi,


Create a third name, call it CAM, and make it resolvable to the Service IP. Generate your CSR for that.


The same thing for CAS. The name should resolve to the service IP and you should get certificate for that name.


HTH,

Faisal

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Faisal Sehbai Thu, 04/29/2010 - 06:49
User Badges:
  • Gold, 750 points or more

Hi,


Create a third name, call it CAM, and make it resolvable to the Service IP. Generate your CSR for that.


The same thing for CAS. The name should resolve to the service IP and you should get certificate for that name.


HTH,

Faisal

blaxucisco Thu, 04/29/2010 - 16:52
User Badges:

Hi Faisal,


thank you very much for solution.


we have to implement wireless on in-band virtual gateway mode if you have any configuration sampel for this please provide me.


Thanks again

--Laxman

blaxucisco Sun, 05/02/2010 - 23:41
User Badges:

Hi Faisal,


this question is regarding certificates.


in our scenario CAS is in HA mode for HA configuration I created temp certificates in both cas with its hostname. and configure HA primary and after configuration, service ip is pingable. for CAS add to CAM I have to create new certificate using by service ip and have to put in CAM, after generate new certificate with service ip address old Certificate of CAS will be replaced by new certificate. at that moment which certificate will be use for CAS HA peer?


this question is regarding license


we have to implement in-band virtual gateway mode. but when I tried to connect new CAS server there is no option for ib-band virtual gateway. olny these options are available in CAM


1. virtual gateway
2. real ip gateway

3. out-of-band virtual gateway
4. out-of-band real ip gateway



license detail is here


1. Standard Manager License present
2. Manager Failover License present
3. Out-of-Band Server Count                            2


do we need to have seperate CAS license for in-band mode?


waiting for your reply


Thank you

Faisal Sehbai Mon, 05/03/2010 - 06:34
User Badges:
  • Gold, 750 points or more

Hi,


For certs, you need one cert for BOTH you CAS devices if they're in HA. Basically you need a cert for each CAS, and a CAS in HA is counted as one.


So let's say you have one HA OOB CAS, and a single IB CAS, then you need two certs for CASs


For licensing, where it says Virtual Gateway or Real-IP only, it means in-band.


HTH,

Faisal

blaxucisco Mon, 05/03/2010 - 17:42
User Badges:

Hi Faisal,


Thank you for your answer. your answers are always valauable to me.

If we have CAS or CAM in HA mode we don't need to have separate certifiacate only one certificate will be ok. that means If we have 2 CAS, CAS1 and CAS 2 in HA mode I don't need to generate CSR from seperate CAS servers, virtual ip/host  CA signed certificate is enough for both CAS servers?


Thank you

Faisal Sehbai Tue, 05/04/2010 - 04:15
User Badges:
  • Gold, 750 points or more

Hi,


That is correct. For CAS1 and CAS2, you should have one cert only which you'll install on both devices.


HTH,

Faisal

Actions

This Discussion