Dear Community,
I installed and configured a new Orchestrator cluster (v7.3.1) and I do need a SSL certificate signed from my CA that match the DNS name of the loadbalancing.
How can I generate (from keytool) the Certificate Signing Request matching loadbalancing name? Is it possible to have a certificate for both loadbalancing and hostnames?
Thanks in advance,
Fred
You should issue the certificate to the VIP and list the nodes of the cluster as Subject Alternative Name. Here is an example of the template I use to create the request
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:server1.domain.com, DNS:server2.domain.com, DNS:server3.domain.com, DNS:server4.domain.com
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = Some State
localityName = Some City
0.organizationName = Company
organizationalUnitName = Group
commonName = vip.domain.com
Thank you very much sbeaver I will give a try with 'Subject Alternative Name'.
And just one minor detail to add - if you anticipate possible changes in cluster nodes' list, you can issue the certificate using wildcard. That is, instead of hard coding server1.domain.com, server2.domain.com, etc. you can use *.domain.com.
Thanks a lot Ilian Iliev