8 Replies Latest reply on Nov 4, 2016 12:13 PM by Yanick Girouard

    Question about CA-issued app server certificate for MAS environment behind load balanced VIP

    Yanick Girouard
      Share This:

      I would need to follow the second option of this procedure Using certificates to secure communication between clients and Application Servers - BMC Server Automation 8.9 - BMC Doc… to use a CA-issued certificate for BSA (To import a certificate when the certificate authority only signs CSRs (but does not export a key)).


      This procedure specifies you have to set the CN of the server during the keystore creation:


      <path to keytool>/keytool --genkey -alias blade -keyalg RSA -keystore <keystore>

          -storepass <password> -dname "CN=<hostname>" -keypass <password>

          -validity <validity> -keysize <keysize> -storetype jks


      However, it does not specifies how one could add multiple CNs to the same keystore to accommodate for all the different application servers it would be used on (Subject Alternate Names). If I access the Health Dashboard on an app server with a URL that is not matching the CN in the certificate, I'll get a security warning in my browser telling me the server doesn't match.


      Is there any part in the doc that explains how to fix that? Typically we would be using a load balanced VIP to access the Health Dashboard, and we do the same to connect to the app servers using the BSA Console.


      The keytool doc shows you can do this to add alternate names to a keystore:


      -ext san=dns:first_server,dns:second_server


      Would this work with BSA, and is there anything special I need to set the CN to for the app severs to be able to properly use the certificate? I see the self signed keystore that BSA creates on install uses the shortname of the server as the CN, is there an issue if I use its FQDN instead?