Hi all,
I am currently in the process of trying to roll out certificates for one of our clients who have around 200 edge devices on the network. I ideally want to use the one certificate, however it is not plausible for us to generate a CSR with a SAN list of their hostnames/IP addresses as this list will be expanding and changing over time so can’t pre-sign these current hostnames.
What has been suggested by the internal CA team, is that each of these edge nodes is a Windows 10 PC on the domain which come with standard domain assigned certificates which could possibly be used. We have now been sent the three certificates we need to apply to the gateway (Server Certificate, Certificate Chain signed by intermediary and Certificate Chain signed by CA), however as we never generated a CSR, I can’t work out what Private Key I need to use to apply these certs. When I generate a self-signed cert on the edge devices and then attempt to apply the certs it gives me the following error: 'Unable to find a private key which matches the public key from the server certificates'
Could I please have a bit of guidance here, I feel like I’ve missed a straightforward step somewhere along the way.
If by "Server Certificate" you mean the leaf certificate that the Gateway should be using, then because these were generated without a CSR they must also supply the private key.
Thank you Kevin, that sparked a bit of a conversation with the clients internal CA Team and we realised there was a miscommunication regarding what was actually required from their end.
We are now essentially starting from scratch and I am a bit stuck as to what is best practice here to create a cert that is usable for all ~200 of these edge devices, noting that this will also grow over time. I understand that a wildcard certificate could be an option?
I think a wildcard is your only option to deploy the same certificate and private key to all gateways.
They would all have to be available at DNS that matches the wildcard pattern, e.g. a wildcard of *.acme.com and they are all available at DNS names like edge1.acme.com through edge200.acme.com.
Alternatively you could look into something like Let’s Encrypt, or maybe roll your own certificate deployment and renewal that worked with your internal CA. I think one other user here has done that for their internal use, but I think it required a custom module…
1 Like
Great, thank you for your assistance Kevin. I will raise this with their internal CA team and report back.