Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Certificates for DNS Name (high availability)

Hi all,

we have CAM and CAS in HA mode. we need to generate CSR but I have some cofusion about the DNS name.

network setup is like this

hostname name      IP address

============     ========

CAM01                  192.168.0.8

CAM02                  192.168.0.9

                             192.168.0.10 (virtual ip address)

CAS01                   172.30.1.8

CAS02                   172.30.1.9

                             172.30.1.10  (virtual ip address)

all hostnames are already registered in local dns, and all devices are pingable with FQDN eg. CAM01.test.com, CAM02.test.com

and which host name should I use during the CSR?

thank you

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: Certificates for DNS Name (high availability)

Hi,

Create a third name, call it CAM, and make it resolvable to the Service IP. Generate your CSR for that.

The same thing for CAS. The name should resolve to the service IP and you should get certificate for that name.

HTH,

Faisal

Re: Certificates for DNS Name (high availability)

Laxman,

Wireless IB guides: http://tinyurl.com/2ef2kk Look at chapter 3 for design considerations.

HTH,

Faisal

7 REPLIES

Re: Certificates for DNS Name (high availability)

Hi,

Create a third name, call it CAM, and make it resolvable to the Service IP. Generate your CSR for that.

The same thing for CAS. The name should resolve to the service IP and you should get certificate for that name.

HTH,

Faisal

Community Member

Re: Certificates for DNS Name (high availability)

Hi Faisal,

thank you very much for solution.

we have to implement wireless on in-band virtual gateway mode if you have any configuration sampel for this please provide me.

Thanks again

--Laxman

Re: Certificates for DNS Name (high availability)

Laxman,

Wireless IB guides: http://tinyurl.com/2ef2kk Look at chapter 3 for design considerations.

HTH,

Faisal

Community Member

Re: Certificates for DNS Name (high availability)

Hi Faisal,

this question is regarding certificates.

in our scenario CAS is in HA mode for HA configuration I created temp certificates in both cas with its hostname. and configure HA primary and after configuration, service ip is pingable. for CAS add to CAM I have to create new certificate using by service ip and have to put in CAM, after generate new certificate with service ip address old Certificate of CAS will be replaced by new certificate. at that moment which certificate will be use for CAS HA peer?

this question is regarding license

we have to implement in-band virtual gateway mode. but when I tried to connect new CAS server there is no option for ib-band virtual gateway. olny these options are available in CAM

1. virtual gateway
2. real ip gateway

3. out-of-band virtual gateway
4. out-of-band real ip gateway

license detail is here

1. Standard Manager License present
2. Manager Failover License present
3. Out-of-Band Server Count                            2

do we need to have seperate CAS license for in-band mode?

waiting for your reply

Thank you

Re: Certificates for DNS Name (high availability)

Hi,

For certs, you need one cert for BOTH you CAS devices if they're in HA. Basically you need a cert for each CAS, and a CAS in HA is counted as one.

So let's say you have one HA OOB CAS, and a single IB CAS, then you need two certs for CASs

For licensing, where it says Virtual Gateway or Real-IP only, it means in-band.

HTH,

Faisal

Community Member

Re: Certificates for DNS Name (high availability)

Hi Faisal,

Thank you for your answer. your answers are always valauable to me.

If we have CAS or CAM in HA mode we don't need to have separate certifiacate only one certificate will be ok. that means If we have 2 CAS, CAS1 and CAS 2 in HA mode I don't need to generate CSR from seperate CAS servers, virtual ip/host  CA signed certificate is enough for both CAS servers?

Thank you

Re: Certificates for DNS Name (high availability)

Hi,

That is correct. For CAS1 and CAS2, you should have one cert only which you'll install on both devices.

HTH,

Faisal

324
Views
0
Helpful
7
Replies
CreatePlease to create content