I apologize if this is too simple a question, but we recently lost our SSL/Security admin who normally handles this and it's been many years since I dealt with it.
We have a legacy AD domain name (company.local) that was created back when it was standard practice no not use the same domain as your public DNS or other valid root domain name. Our Windows NPS is named radius.company.local, and it has a cert issued by our AD CA. Now that WPA3 is being enforced on Pixel devices, we can no longer auth them over WiFi via RADIUS since our CA isn't trusted.
I understand I can get a cert from a trusted root CA (we use DigiCert), but what SN would I use? I can't get a cert for radius.company.local, and if I got one for our public domain (like wifi.company.com) wouldn't it fail because the server is reporting as radius.company.local?
We do have a wildcard cert for the public domain but it didn't work, and there's plenty of pages out there saying MS NPS really hates using them. So I'm at the point of just buying a single cert for this but can't wrap my brain around what SN to put in the certificate request.
My guess is something like this:
Subject Name
Common Name: wifi.company.com
OU: IT
Organization: Company Name
Locality: City
State: State
Country: US
Alternative Name
wifi.company.com
Since this is going to be public I don't want to use my company.local domain, correct? Would I need to add a public DNS entry for wifi.company.com?
If I'm in the wrong sub please msg me or post it here so I can go there instead.
No comments:
Post a Comment