ESM/Logger CA signed certificates - avoid restriction of CN required to be the hostname

Idea ID 2775751

ESM/Logger CA signed certificates - avoid restriction of CN required to be the hostname

0 Votes

Could I suggest that you support the following model is supported for certificates:

When generating the key, support the use of a service based CN, where the CN could be something like "ESM Servers"

And then within that cert, DNS alt names are defined containing the list of ESM server FQDNs and aliases.

You could in theory then use the same certs for your fleet of ESMs etc.

The current problem with this method is that ESM cannot determine the IP from the CN of "ESM Servers" because it assumes the CN will be the FQDN of that ESM host.

 

Suggestion applies for Loggers and other components too.

2 Comments
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Hi Ian,

 

I recognize this issue, especially the ACC because this will redirect to the CN name of the loaded certificate.

Use of DNS Alt Names in the certificate will work for Java Client and Connector Connections.

 

Best Regards,

Henk-Jan

Outstanding Contributor.
Outstanding Contributor.

Thanks  Henk-Jan. Hope things are going well! Cheers!

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.