7 Replies Latest reply on Sep 25, 2014 2:11 PM by davidg5700

    Domain question on CSR generation

    davidg5700 Specialist

      I am working on getting a cert for zero touch vPro provisioning.  When using the CSR generation utility, the instructions state to set the "-domainName" to landesk.com.  If I do an nslookup on my core server, it will return "corserver.mycompanyinternalname.corp" not "coreserver.mycompanyexternalname.com".  All of the client machines will be in the "mycompanyinternalname.corp" domain.

       

      What domain do I need to use in the certificate request?  Also, do I need to add "provisionserver" to the -domainName specifier?

       

      I am following this doc to generate the CSR:

      How To: Create a CSR File for Ordering a Certificate for vPro Provisioning

       

       

      Looking at this document, a screenshot of the certificate indicates I should use the FQDN of provisionserver.domain.com:

      Validating certificates for Zero Touch Provisioning

       

      Thanks.

        • 1. Re: Domain question on CSR generation
          bcstring SupportEmployee

          Davidg,

           

          1. You will want to get the cert for "mycompanyinternalname.corp" as that is the domain the machines will be part of.
          2. The -domainName will be the domain only. Not the ProvisionServer name.

           

          Let me know if you have any other questions.

           

          Bryce.

          • 2. Re: Domain question on CSR generation
            davidg5700 Specialist

            Bryce,

             

            Our admin who handles purchasing certificates said that the .corp is an invalid domain and that he could not get a cert from Comodo with that.

             

            Is there some form of DNS trickery that I'll need to do to get this to work with mycompanyexternalname.com?  An alias of some form?

             

            Thanks.

            • 3. Re: Domain question on CSR generation
              bcstring SupportEmployee

              David,

               

                 You can have the cert issued for your top level domain, then use DHCP Option 15 to specify the domain the vPro will need to use when provisioning machines. This is technically theory, and I have only done limited tests with it in my lab. However I am able to successfully provision machines with certs from other domains using this method.

               

              Bryce.

              • 4. Re: Domain question on CSR generation
                dgaines Apprentice

                We to are in a situation like this.  We are worried that if we change DHCP 15 to reflect our external domain of unattended consequences.  For examples, would printers pick up this new domain suffix and quit working?  Has anyone run into anything like that or am I just being overly paranoid?

                • 5. Re: Domain question on CSR generation
                  davidg5700 Specialist

                  Our DHCP masters are not willing to change option 15, so we are stuck with internalcompanyname.corp and only being able to get a 3rd party cert for externalcompanyname.com.

                   

                  Could we set up a DNS alias so that when the client boots AMT to provision, the request of provisionserver.internalcompanyname.corp can be resolved by DNS and passed along to provisionserver.externalcompanyname.com?

                  • 6. Re: Domain question on CSR generation
                    dgaines Apprentice

                    We just tried changing our dhcp option from our existing .world domain suffice to one that matches our internet .com suffix.    We let that propagate for over an hour.  The windows looked good, but when we started checking mac and linux based systems is where we started to see problems.  After a reboot, those boxes picked up the new .com domain suffix but couldn't ping anything that still had a .world suffix.    I am guessing that this has something to do with domain search order, but I am not sure as I am not a DNS expert in the slightest.

                    • 7. Re: Domain question on CSR generation
                      davidg5700 Specialist

                      It took some badgering, but I was finally able to get our certificate guys to work with Comodo to issue a vPro cert with our internal domain.  This will only be valid for a year, but that should be plenty of time to get our machines provisioned.

                       

                      Since internally named certs will be revoked next fall, vendors make it difficult to get one.  Or, at least they did for us.  It took a special request.