We use https://<hostname.example.com> for our UMP, and DNS also allows https://<hostname>/. We would like to implement a single SSL certificate to cover both cases. How can this be accomplished?
Release: UIM 8.4 or higher
- Guidance with CSRs/SSL Certificates
The following (high-level overview) steps are required. For specifics, see the product documentation.
1. Reinitialize the keystore
2. Delete the "wasp" alias from the keystore
3. Generate a key pair, but do NOT use the command from the docs (which does not include the SAN info):
<UMP or UIM server_installation>/jre/<jre_version>/bin/keytool -genkeypair -alias wasp -keyalg RSA -keysize <key_size> -keystore wasp.keystore -validity <days_cert_is_valid>
Instead, generate the keypair thusly (substituting the appropriate values for your domain):
<UMP or UIM server_installation>/jre/<jre_version>/bin/keytool -genkeypair -alias wasp -keyalg RSA -keysize <key_size> -keystore wasp.keystore -dname "CN=hostname, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown" -ext SAN=dns:hostname.example.com,ip:192.0.2.1 -validity <days_cert_is_valid>
Note that you should not use "Unknown," but enter the correct values for your organization. The Country value (C) must be a two-letter country code.
You can verify the SAN info was included by issuing the following command:
keytool -list -v -keystore wasp.keystore
Here is an example result of the list command above.
#1: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName:hostname.example.com
IPAddress: 192.0.2.1
Next, generate the CSR using the same -ext command, like this:
<UMP or UIM server_installation>/jre/<jre_version>/bin/keytool -certreq -alias wasp -validity <days_cert_is_valid> -keystore wasp.keystore -file <your_domain>.csr -ext SAN=dns:hostname.example.com,ip:192.0.2.1
Now you should have a valid CSR that contains the SAN. You can submit this to a certificate signing authority to obtain a certificate.
Then you would simply import the resulting certificates as described in the techdocs link listed below in the Additional Information section of this article, and that should resolve any SAN-related errors as described above.