SOTI Pulse Logo

Can SOTI handle Wildcards in Subject Alternative Name field?

BS
Benjamin Spahr
Inseya AG

Hello there

We wanted to change our wildcard Certificate for Mobicontrol as well as 2 Exchange ERGs.

Unfortunately the customer wasn't able anymore to generate a wildcard certificate like *.domain.ch

The cert. looks like that right now: service.domainname.ch and in the SAN field they have entered *.domainname.ch

MobiControl was able to handle it, but on the ERGs the mailsync stopped unless we've changed back everything.

Has anybody some experience with such certificates?

Can this work or should we generate a certificate for each service?

Thank you for any inputs.

Best Regards

Beni

certificate
3 years ago
SOTI MobiControl
ANSWERS
RC
Raymond Chan Diamond Contributor
3 years ago

Wildcard certificate seems to be too generic and therefore have some security concern.  Microsoft Windows device platform has disallowed using wildcard certificate in MDM related activities for a couple of years, and I believe other device platforms will follow suit.    However, it is possible to use one single certificate to support multiple domain, but without using wildcard.   Some certificate vendors sell SAN SSL certificate which include 5, 10, 15, 20, etc. of fixed domain names rather than with wildcard character(s).  I previously successfully used this kind of certificates on MobiControl.

BS
Benjamin Spahr
3 years ago

Hi Raymond
We have used the *.domainname.ch for the last 5 years.

Now we are uing the outlook.domainname.ch with SAN SSL entries.

on mobicontrol it works fine, but the ERGs aren't working anymore.

Best Regards

Beni

I
ICMOD@SOTI
3 years ago

Hello Benjamin,

Thanks for your post!

All certificates have a Subject name and the Subject name in the certificate must be a wildcard(*.domain.com) OR matches the exact name of the what is using the certificate.

The MobiControl Management Service needs a certificate where the Subject name matches the FQDN of the Management Service. The ERG server will need a separate certificate, where the certificate subject name matches the FQDN of the IIS server that is hosting ERG. They cannot use the same certificate if they not wildcards.

Regards,

Technical Support | SOTI Inc. |1.905.624.9828 | support@soti.net | www.soti.net |

BS
Benjamin Spahr
3 years ago

Hello there

Thank you for the answer.

We could get the wildcard cert and now it worked.

But we had a very strange observation.

All devices which are currently enrolled as device admin and using the samsung app for mailsync, the sync worked propperly.

On the AE COPE devices which ar syncing by gmail, the profile had to be reinstalled, as we got the error,"the security of gmail is currently higher as the security set from the admin".

As we will have a lot more COPE devices in the future it needs to work propperly in the next cert change.

Do you know such a behavior?

Thank you and best Regards

Beni

Similar Discussions