Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2365
Views
0
Helpful
3
Replies

Can we use SAN certificate for a cluster of Ironport ESAs?

Chandan Visweswara
Level 1
Level 1

‎03-05-2014 09:34 AM

We have 6 C670 appliances all connected in cluster. As of now, we have installed individual SSL certificates installed on each appliance. We are contemplating on the idea of going for one SAN certificate instead of inidivdual certificate. Can this be done? How can we configure each IronPort to refer to one certificate?

2 people had this problem
Labels:
0 Helpful
3 Replies 3

Ken Stieers
VIP
VIP

‎03-05-2014 09:36 AM

You can use a SAN cert.  You have to install it on each box.  (which means you need the private key too...)

Check with your cert provider on the license for that cert.  Some of them limit the number of machines you can install the cert on.

0 Helpful

Chandan Visweswara
Level 1
Level 1
In response to Ken Stieers

‎03-05-2014 09:53 AM

Thanks Ken. But wouldn't that carry the same hostname for all the appliances then? I'm not well informed about how SAN certificate works, but, do we need to create individual CSR files from each appliance to obtain one SAN cert and then install that one SAN cert for each certificate profile?

0 Helpful

Ken Stieers
VIP
VIP
In response to Chandan Visweswara

‎03-05-2014 10:08 AM

No, as that's the point of a SAN cert (SAN stands for "Subject Alternative Name")  The SAN cert can have many different names, and they don't have to be related.  Its sort of like a wildcard cert (eg. *.domain.com), but instead of everything having to end in "domain.com", it can have any name you want... so you can have "box1.domain1.com" "box2.domain2.com", etc...

No, you don't generate the CSR on each box... I do it once on a Windows box, export the cert and private key, split into its pieces using OpenSSL and upload it to as many boxes as I need to...   I use one wildcard cert since I use one mail handler on one domain for all of my domains...

Ken

0 Helpful
Customers Also Viewed These Support Documents