WFM Certificates with multiple SANs can have issues


When playing around with some odd WFM Configurations in my WFM Dev Environment, I stumble upon a very strange issue with my WFM Certificates, it seems that the fact of using multiple SANs (Subject Alternate Names) in my WFM Certificates was throwing some Security errors (mainly my Certificate was not matching).

After some more research and testing, I found out that there is indeed an issue in .NET that was fixed in 4.6.1

Looking a little more deep about certificates used by WFM I found out a limitation that having multiple DNS entries in a SAN certificate won’t work. This was a bug in WCF identify, where only the last entry in the certificate is recognized.
In my case I had had two entries in my DNS regarding the same Server.

Installing the .NET 4.6.1+, solves this issue. If this upgrade is not possible the bellow options will also address this issue:

  1. Use a domain wildcard certificate (*.yourdomain.com), this is the recommended approach since you can use always the same certificate in all your servers without any issues and you can even avoid any NLB issues.
  2. Guarantee that the last entry on your SAN certificate is equal to the FQDN of your Serve

Hope that helps find your solution

Cheers

Comments (0)

Skip to main content