Certificate Requirements for SVE 1.2

Hi all,

in the certificate-requirements for SVE 1.2 it is written that "Subject Alternative Names in the SVM certificate contain the IP addresses for all configured SVM IP addresses. These must be specified as IP and DNS e.g. IP: 1.2.3.4, DNS: 1.2.3.4".

As i understand, i have to write ALL IP-Adresses of ALL SVMs in every certificate. But if i do so, the installation fails. It only finishes, when only the IP-Address of the current SVM is entered as IP and DNS. Is this a mistake in the documentation?

By the way: IP-Addresses as DNS-Name in Subject Alternative Names are not valid according to https://tools.ietf.org/html/rfc5280#section-4.2.1.6 !!!

Regards

  • Hello  

    its not all ip addresses of all the SVMs in every certificate 

    but you need to enter just the IP addresses of that particular SVM. 

    In the KBA it says: 

    2. Create the Certificate Signing Request

    You will need to complete these steps for each Security VM you wish to deploy

    vi. Subject tab:

    1. In the "subject name" box, select the "Common Name" type . Enter the SVM's hostname and click "Add"
    2. for each of the SVM's IP addresses
      1. In the "Alternative name" box, select the "IP address (v4)" type . Enter one of the SVM's IP addresses and click "Add"
      2. In the "Alternative name" box, select the "DNS" type . Enter one of the SVM's IP addresses and click "Add"

    Hope this helps

     

    Mark 

  • In reply to MarkToshack:

    OK, i think this is more clear than the sentence in the requirements. I did not read this as we don´t have a Microsoft-CA.

    Thanks.

  • In reply to MarcLang:

    I am looking to ensure our docs are easier to follow - thanks Marc for the feedback.