PGP Universal Server and SSL Certificates using the Subject Alternative Name field

book

Article ID: 157246

calendar_today

Updated On:

Products

Symantec Products

Issue/Introduction

PGP Universal Server and SSL Certificates using the Subject Alternative Name field

 

Resolution

It is common practice to put multiple DNS names in the subjectAltName extension and PGP Universal Server supports using such certificates.  The PGP Desktop clients will check the DNS names found in the subjectAltName extension to make sure it matches the name of the server it is connecting to as well as replication will check the hostnames on the certificate within these fields to allow for proper replication.

 


Applies To

PGP Universal Server uses SSL certificates in order to secure communications going to the server.  PGP Desktop clients as well as Web Services from the PGP Universal Server, such as Web Messenger, use these SSL certificates to connect. 

Oftentimes, multiple hostnames are used to connect back to the PGP Universal Server, for example, a PGP Desktop client may be enrolled to the hostname keys-secure.domain.dom and the Web Messenger page may be set to keys.domain.dom.  When only one certificate is available, having multiple Subject Alternative Names can provide the functionality to properly resolve hostnames to valid certificates using only one certificate.

It may also be that the PGP Universal Server uses replication to different hostnames than the external hostname of the server and having a subject alternative name will also make it possible for DNS resolution back to a valid hostname on the certificate to allow for proper replication.  For example, a PGP Universal Server may use keys1.domain.dom for replication, but keys.domain.dom for external host connections.   Using an SSL certificate with Subject Alternative names that list both these hostnames will prevent certificate warnings for both replication, as well as client connections from the outside.