Documentation

Subject Alternative Names

Subject Alternative Names (SANs) is an extension to the X.509 standard that provides a structured way to specify multiple host names to be validated by a single certificate. A certificate with Subject Alternative Names specified can secure and manage multiple domain names, providing flexibility and efficiency. This allows client to connect using host names, so if the IP address changes due to some reason, there is no need to reconfigure the client and connection can be made with domain names. You can add, edit and remove domain names at any time in Instaclustr’s managed platform.  

Background Knowledge 

The original X.509 specification allowed a single host name in the certificate called Common Name. If the common name did not match the certificate, it would show security error. Using SANs extension, now it is possible to add several host names on the certificate and each of these will be considered as a valid host name of the server. 

Prerequisites 

Currently, to make use of SANs with Instaclustr offerings the following conditions must be met: 

  • The cluster should be running Instaclustr for Apache Kafka, Instaclustr for PostgreSQL or Instaclustr for Apache Zookeeper. 
  • The cluster should be hosted in AWS cloud.  
  • Client encryption must be enabled. 
  • Cluster should not be an AWS PrivateLink cluster. 
  • Additional host names to be added in subject alternative name field must be syntactically valid host names as per RFC definition of valid host names. In simple words, host name should contain only letters, numbers, dots, single asterisk and hyphens. No two contiguous hyphens and each label as separated by the dots in a domain should be 1 to 63 characters long. Please refer to the limitations below for a list of what is and is not supported currently. 

Limitations 

  • Instaclustr’s current implementation of subject alternative names only supports Domain Name labels with a few caveats for security reasons. First caveat is that Domain Name label can have the first chars as * or letter and the second must be a ., -, letter, digit. This is to allow wild card matching as supported by Kafka. Instaclustr does not support the following:  
    • Internet Mail Address – e.g. Local-part@Domain 
    • IP Address – e.g. 127.0.0.1  
    • URI – e.g. https://www.google.com  
    • Directory Name 
    • Additional name types through the use of the other Name field 
    • It does not allow arbitrary wildcard names as SAN host names
  • Instaclustr for PostgreSQL and Apache Zookeeper clusters subject alternative name can be added via the terraform provider and Instaclustr API. These are not supported via our managed platform console.  

How it works for Instaclustr for Apache Kafka Clusters 

Subject Alternative Names can be added at the time of cluster creation and for existing clusters. This feature is available to be used via Instaclustr managed console, our API and via Terraform Provider.

On our managed platform, custom Subject Alternative Names can be added in data center options as shown in the screenshot below:  

On existing clusters, Custom Subject Alternative Names details can be found in the connection info tab. On this page you can view, edit, remove previously entered SANs as required:

In order to apply the changes, the cluster needs to be restarted. Please reach out to our support team to schedule a rolling restart when update is complete. 

More information on how to create Instaclustr for Apache Kafka clusters with custom subject alternative names can be found here.

How it works for Instaclustr for Apache Zookeeper clusters 

For new Instaclustr for Apache Zookeeper clusters, custom subject alternative names can be added when provisioning the cluster via terraform provider or via Instaclustr API. For terraform provider request, subject alternative names must be provided as a list of strings in data centre attributes. If using Instaclustr API provisioning, custom SANs need to be specified as an array of strings in data centre settings.  

To remove or update the subject alternative names on existing Apache Zookeeper cluster, please reach out to our support team.  

Adding, listing, removing subject alternative names is not supported via Instaclustr’s  console for Apache Zookeeper clusters.  

More information on how to create Instaclustr for Apache Zookeeper clusters can be found here.

Questions 

Please contact [email protected] for any further inquiries. 

By Instaclustr Support
Previous Article Lifecycle Status of Application Versions Next Article PCI Compliance
Need Support?
Learn More
Experiencing difficulties on the website or console?
Status page for known incidents
Already have an account?
Log In to the Console
Need help with your cluster?
Contact Support
Why sign up?
To experience the ease of creating and managing clusters via the Instaclustr Console
Spin up a cluster in minutes
Free Trial