Environment

• App Control Console: All Supported Versions

Objective

How to use the Subject Alternative Name (SAN) field when generating a new Certificate to be used in the App Control Console

Resolution

• The Subject Alternative Name (SAN) must contain the current App Control Server Address (System Configuration > General tab) and any previously used FQDN/CNAME records
• Both the current name of the server and any alternative or previously used names should be listed as shown:

  Subject Alternative Name: DNS=newserver.domain.com,DNS=oldserver.domain.com
  

• The SAN can also contain an IP Address, or a wildcard:

  Subject Alternative Name: DNS=appcontrol.domain.com,DNS=*.domain.com,IP=10.0.8.123
  

Additional Notes

• If a Wildcard is used in the Common Name, the current Server Address (System Configuration > General) must be included in the SAN:

  Common Name: *.domain.com
  
  Subject Alternative Name: DNS=appcontrol.domain.com,DNS=*.domain.com
  

• RFC 2818 states that the Common Name in the Subject field of the certificate must be included in the Subject Alternative Name.
• If the certificate contains any DNS entry in the SAN, the Agent will require one entry to match the Server Address.
• If the certificate contains no SAN entries, the Common Name and the Server Address must match.
• Failure to properly format the Server Certificate could cause communication failures between the Agent and the Server, or other errors.

Related Content