We use https://hostname.domain.com for our UMP, and DNS also allows https://hostname/. We would like to implement a single SSL certificate to cover both cases. How can this be accomplished?
The following (high level overview) steps will be necessary to make this work. For specifics, see the product documentation.
1. reinitialize the keystore
2. delete the "wasp" alias from the keystore
3. Generate a key pair, but do NOT use the command from the docs:
<UMP or UIM server_installation>/jre/<jre_version>/bin/keytool -genkeypair -alias wasp -keyalg RSA -keysize <key_size> -keystore wasp.keystore -validity <days_cert_is_valid>
Instead, generate the keypair thusly (substituting the appropriate values for your domain):
<UMP or UIM server_installation>/jre/<jre_version>/bin/keytool -genkeypair -alias wasp -keyalg RSA -keysize <key_size> -keystore wasp.keystore -dname "CN=hostname, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown" -ext SAN=dns:hostname.domain.com,ip:188.8.131.52 -validity <days_cert_is_valid>
Note that you should not use "Unknown", but put the correct values for your organization. The Country value (C) must be a two-letter country code.
You can verify the SAN was included by the following:
keytool -list -v -keystore wasp.keystore
Result should be something like:
#1: ObjectId: 184.108.40.206 Criticality=false
Next, generate the CSR using the same -ext command, like this:
<UMP or UIM server_installation>/jre/<jre_version>/bin/keytool -certreq -alias wasp -validity <days_cert_is_valid> -keystore wasp.keystore -file <your_domain>.csr -ext SAN=dns:hostname.domain.com,ip:220.127.116.11
Now you should have a valid CSR that contains the SAN. You can submit this to a signing authority to get a certificate back.
Then you would simply import the resulting certificates like you normally would and that should solve the problem.