At any given time, an SSL server certificate is in one of these three states: valid, expired, or future (that is, not yet valid). When choosing which certificate to present to a client for a given domain:
1.HCP first looks for a valid certificate for the domain and, if it finds any, uses the one with the earliest start date and time.
2.If the domain has no valid certificates, HCP looks for an expired certificate for the domain and, if it finds any, uses the one with the latest expiration date and time.
3.If the domain has no expired certificates, HCP uses the future certificate with the earliest start date and time.
HCP consistently chooses the same certificate. Any of these events, however, can cause HCP to start choosing a different certificate:
•The chosen certificate expires or is deleted.
•A future certificate for the domain becomes valid.
•A new certificate is added to the domain.
![]() |
Note: After an event that causes HCP to choose a different certificate, the system may continue using the certificate initially chosen for a client session until the applicable cache is cleared. |
HCP does not take the common name into consideration when choosing a certificate. This means that in response to a client request, HCP can use any certificate for the domain associated with the network over which the request arrives (subject to the selection process described above).
For example, suppose the domain named hcp.example.com has a certificate with the common name *.ten1.hcp.example.com. Suppose also that the management network for the tenant named ten2 uses the hcp.example.com domain. In response to a client request with a URL that specifies ten2.hcp.example.com, HCP could present the certificate with the common name *.ten1.hcp.example.com. The client is responsible for deciding how to handle certificates with common names that don’t match the requested URL.
© 2015, 2020 Hitachi Vantara LLC. All rights reserved.