03-05-2014 09:34 AM
We have 6 C670 appliances all connected in cluster. As of now, we have installed individual SSL certificates installed on each appliance. We are contemplating on the idea of going for one SAN certificate instead of inidivdual certificate. Can this be done? How can we configure each IronPort to refer to one certificate?
03-05-2014 09:36 AM
You can use a SAN cert. You have to install it on each box. (which means you need the private key too...)
Check with your cert provider on the license for that cert. Some of them limit the number of machines you can install the cert on.
03-05-2014 09:53 AM
Thanks Ken. But wouldn't that carry the same hostname for all the appliances then? I'm not well informed about how SAN certificate works, but, do we need to create individual CSR files from each appliance to obtain one SAN cert and then install that one SAN cert for each certificate profile?
03-05-2014 10:08 AM
No, as that's the point of a SAN cert (SAN stands for "Subject Alternative Name") The SAN cert can have many different names, and they don't have to be related. Its sort of like a wildcard cert (eg. *.domain.com), but instead of everything having to end in "domain.com", it can have any name you want... so you can have "box1.domain1.com" "box2.domain2.com", etc...
No, you don't generate the CSR on each box... I do it once on a Windows box, export the cert and private key, split into its pieces using OpenSSL and upload it to as many boxes as I need to... I use one wildcard cert since I use one mail handler on one domain for all of my domains...
Ken
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide