Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

hostnames, TLS and mutiple Public IPs

We have 2 Public IPs on our C10. We have a business partner that needs the Common Name for the TLS Certificate to be the same as the ehlo hostname. Since it appears that only one Certificate can be loaded on an appliance, we are thinking of picking one of the 2 Public IP names (i.e. mx1.mydomain.com) as the ehlo hostname for both. This way the Business Partner's TLS will work and we will not have any 450 <mx.mydomain.com>: Helo command rejected: Host not found issues.

The 2 connetion sequences would look as follows:
Trying ##.##.##.###...
Connected to mx1.mydomain.com.
Escape character is '^]'.
220 mx1.mydomain.com ESMTP
ehlo mail1.bp.com
250-mx1.mydomain.com Hello mail1.bp.com [##.##.##.##], pleased to meet you

and

Trying ##.##.##.###...
Connected to mx2.mydomain.com.
Escape character is '^]'.
220 mx1.mydomain.com ESMTP
ehlo mail1.bp.com
250-mx1.mydomain.com Hello mail1.bp.com [##.##.##.##], pleased to meet you

Does anyone see an issue with this? Has anyone done this before?

THANKS!
KSN

3 REPLIES
New Member

Re: hostnames, TLS and mutiple Public IPs

Have you tried putting in a certificate with a wildcard? We use the same cert for all of our IronPorts and all the interfaces on them. You just generate a certificate with *.mydomain.com as the servername. You would have to test that to see if it will work as some clients do not like wildcards. Also if you are getting a real certificate some issuers do not like giving out certificates with wildcards as they can get more money if they charge you for each certificate.

We created the self-signed certificates for our systems using openSSL and loaded the certificate and key pair on each of our IronPorts.

New Member

hostnames, TLS and mutiple

Thanks Jim234 for the information. Unfortunately, the people at our company in charge of certs will not let us create a wild card certificate due to what it would cost them.

New Member

Re: hostnames, TLS and mutiple Public IPs

I don't know if this would work in your case, but it might solve your problem.

You could add a subjectAltName to the ssl certificate when you request it.

Details on this can be found in RFC 2459 section 4.2.1.7 Subject Alternative Name. "The subject alternative names extension allows additional identities to be bound to the subject of the certificate."

Erich

270
Views
0
Helpful
3
Replies
CreatePlease to create content