Posted on 09-07-2016 05:20 AM
The infrastructure team here have setup a service on a "round robin" DNS but each of the individual servers behind the service name have a single-hostname cert on each (of 6 servers)
Now I can add the certs (or the CA) and override all manner of trust settings, but what I can't figure out is how to get past the "This certificate is not valid (host name mismatch)" problem
For each server/cert when it pops up in the round-robin I can tick the "Always trust Y when connecting to X", and in my keychain I get the little blue disc '+' with "This certificate is marked as trusted for host X".
But that's a manual process – and I want to "pre-approve" this for dozens of users, and for all 6 certs!
Any ideas?
I know this is probably hideous bad practice, but I've little-to-no say in the server/service setup, so I probably have to live with it. I think I can suggest that they redo their certs as multi-host certs. that's a thing, right?
(They say they've fixed this for windows clients using a group policy)
Posted on 09-07-2016 05:28 AM
You can generate one cert with all the hosts listed in the subject alternative name field of the cert and it should be trusted for all of those hosts.
K
Posted on 09-07-2016 06:24 AM
Thanks. So that's a yes to the multi-host cert idea, by the look of it. I'd have to ask the infrastructure people to replace the existing single-hostname cert on each of the 6 servers.
If that goes down as well as I think it will (very badly) - I'll need to fall back on pushing out an 'auto approve' somehow
Posted on 09-07-2016 06:35 AM
I'd be careful trying to automate a solution to auto approve. This is absolutely the infrastructures team's bad practice. It is also easily avoidable and easily fixable. Don't create a headache for yourself to cover up from their bad practice. You'd also be training your users to not really consider security warnings to be significant. Let them feel the pain of their mistake, especially since it's so easy to fix.
Posted on 09-07-2016 06:40 AM
Have a look here for some more ideas if you end up having to edit the trust settings: https://jamfnation.jamfsoftware.com/discussion.html?id=11830
K
Posted on 09-07-2016 12:08 PM
Thanks Key1. That thread doesn't seem to have what I'm looking for. Deploying certs I'm ok with, we do that via profiles with no issue. Unless there's a more generic "trust this cert on everything, regardless" in there (and I'd not be happy at all with that if there was).
I will try what I can to get them to re-issue certs with multi-hostnames, but I'm not optimistic.
So if someone else can chime in with a solution on how to automate the config that would be amazing. As you can do it manually in the UI with a few clicks and a keychain authentication, it feels like it shouldn't be beyond someone's admin skills
Posted on 09-08-2016 08:20 AM
they were much more +ve than I'd anticipated about adding hosts to the cert. phew.
thanks for everyone's input