Hi dojo

I am configuring HTTPS on a DataMiner system running in a Failover pair (two Windows servers with a virtual/cluster IP). According to the documentation, wildcard certificates cannot be used, and each Agent must use a certificate that matches the hostname of the physical server — not the shared hostname or the virtual IP.

What is still unclear to me is the best practice for the CN/SAN configuration in this scenario:

• Each DMA has its own hostname and IP (e.g. server1.domain.com → 10.1.1.1, server2.domain.com → 10.1.1.2)
• There is also a virtual/shared IP (e.g. 10.1.1.3) that clients use to connect, since they should not need to know which node is currently active

My questions:

1. What should be used as CN for each DMA’s certificate?
   (I assume the physical hostname, e.g. server1.domain.com, but I’d like confirmation.)
2. What should be included in the SAN list?
   • Physical hostname?
   • Physical IP?
   • A common client-facing DNS alias (e.g. dataminer.domain.com)?
   • Should the virtual/shared IP ever be included in SAN, or is it strictly unsupported?
3. Is there an official recommendation or proven pattern that ensures:
   • A client can always connect through a common entry point
   • HTTPS works without certificate errors after a failover
   • Both Agents remain compliant with DataMiner’s certificate requirements?

I want to make sure that the certificate setup fully aligns with DataMiner Failover architecture and avoids any unexpected behavior during switchover.

Thanks in advance for any guidance or examples!