This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Are SANs needed for my certificates?

Posted on 01-20-2016 08:59 AM
WILLIT51
New Member
Reply posted on --/--/---- --:-- AM

If we use a CName to point api.mydomain.com to myorg-prod.apigee.net, will we need to add a Subject Alternative Name (SAN) field to our api.mydomain.com certificate (indicating myorg-prod.apigee.net as the additional name)?

0 1 475
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
atoombs
Staff
Reply posted on --/--/---- --:-- AM

Hi @WILLIT51,

I highly doubt your signing authority will allow you to add an X509 SAN name for a domain you don't own control of, like apigee.net.

I see where you're going with this, though. I'm guessing you want to (a) use both "api.mydomain.com" AND "myorg-prod.apigee.net" via HTTPS, and (b) you do not support SNI on the client-side?

Assuming (a) and (b) above are accurate, the easiest way to accomplish this is going to be for you to get a cert with CN=api.mydomain.com (plus any X509 SAN names you want to add), and then internally we will create a separate hostalias simply for the purposes of the CNAME. This would look something like myorg-prod-01.apigee.net, and that name would only exist for the purposes of setting up CNAME of api.mydomain.com =CNAME=> myorg-prod-01.apigee.net. This leaves myorg-prod.apigee.net untouched and available to answer via HTTPS, while myorg-prod-01.apigee.net would point to your custom certificate for api.mydomain.com.

Does this make sense? I actually got a hint that this question was coming from my colleague @clatimer1, so if there's a more detailed/sensitive conversation you wish to have on this topic, we can arrange that as well.

Thanks!