Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Novice
1,471 Views

provisioning certificate to provision child domains .local

Hi everyone,

I'm hoping you can help me with a question.

I have read the Domain Suffix guide at http://communities.intel.com/docs/DOC-4903 http://communities.intel.com/docs/DOC-4903

Say I have a domain that's called bamits.local and I have a child domain called dev.bamits.local and I want to provision systems in the both domains.

My top level domain (TLD) is .local and is not in the list and Option 15 in the top domain would return bamits.local and in the child domain it would return dev.bamits.local

I want to use the same provisioning certificate to provision .bamits.local and dev.bamits.local. how many labels will it need to match? Will the configuration certificate only need to match 2 labels to provision the systems and not need to go back to dev?

I have been told that so long as the DNS suffix (DHCP option 15) matches the cert top level domain, then it will work. If that was true it would only need to goto .local and not worry about bamits.

My concern is that option 15 actually returns dev.bamits.local in the child domain and the certificate is for bamits.local

Could somebody help clarify this for me?

Thanks

Blair

0 Kudos
2 Replies
Highlighted
Community Manager
212 Views

Hi Blair,

The .local is not on our Top Level Domain list, therefore, the configuration certificate will need to also match the dev label.

For support of clients in bamits.local and dev.bamits.local your options are 2 standard certs for each domain, a multi-domain certificate that includes the two domains, or a wild card certificate.

What does this mean?

Top Level Domain AMT support list:

.EDU .GOV .ORG .BG .CH .CL

.CZ .DE .DK .COM .NET

.ARPA .AR .AT .BE .BR .CA

.CN .CO .EE .ES .FI .FR

.GR .HK .HR .HU .IE .IL

.IN .LT .MX .NL .NO .NZ

.PL .PT .RO .RU .SE .SG

.TH .TR .TW .UA .UK .ZA

Customers owning a DNS under domains on this list can utilize a single standard SSL certificate to provision the entire vPro fleet including all sub-domains in their organization (Intel Advanced Management Technology firmware will treat this certificate as a wildcard certificate)

In other words, if the domain is not on this list the customer would have to resort to Wildcard or Multi-Domain certificates to cover all existing sub-domains to be able to provision AMT in each one.

Example of a domain not on the list:

A Standard SSL certificate for domain "bamits.local" will only support AMT clients in this domain to configure. AMT clients in "dev.bamits.local" or "test.bamits.local" for example will be rejected. This would work with a wildcard cert of " *.bamits.local" or multiple domain certificates.

Highlighted
Novice
212 Views

Thanks Minh,

You have explained it very well.

Regards,

Blair

0 Kudos