BE-7031 Add SAN Warning for the SSL Certificates

docs/self-hosted-appcircle/install-server/helm-chart/configuration/ssl-configuration.md

@@ -18,6 +18,13 @@ By default, the Helm chart is configured for HTTP without an SSL certificate. If
 Appcircle must be installed with HTTPS from the initial installation. If you initially installed Appcircle with HTTP, you will need to [uninstall](/self-hosted-appcircle/install-server/helm-chart/uninstallation) it and then reinstall it with HTTPS.
 :::
 
+:::warning
+Ensure that each [required domain name](/self-hosted-appcircle/install-server/helm-chart/installation/kubernetes#1-domain-name) is included in the Subject Alternative Name (SAN) extension of your SSL certificate, either listed individually or using a wildcard (e.g., `*.appcircle.spacetech.com`).
+
+- :warning: **Do not use** wildcard domains in the Common Name (CN). Wildcards must be specified only in the SAN extension as per SSL best practices.
+
+:::
+
 You have two options for configuring SSL certificates:
 
 1. **Trial Purposes**: Define the SSL certificate directly in the `values.yaml` by following [this section](#define-the-ssl-certificate-in-valuesyaml).

docs/self-hosted-appcircle/install-server/linux-package/configure-server/integrations-and-access/ssl-configuration.md

@@ -104,6 +104,20 @@ Refer to [reset configuration](/self-hosted-appcircle/install-server/linux-packa
 
 :::
 
+:::warning
+
+Ensure that each [required domain name](/self-hosted-appcircle/install-server/linux-package/installation/pre-installation-checklist.md#configure-the-dns-settings) is included in the Subject Alternative Name (SAN) extension of your SSL certificate, either listed individually or using a wildcard (e.g., `*.appcircle.spacetech.com`).
+
+- :warning: **Do not use** wildcard domains in the Common Name (CN). Wildcards must be specified only in the SAN extension as per SSL best practices.
+
+- If you saved the SSL certificate as a file, you can check the Subject Alternative Name (SAN) extension of the certificate by running the following command. If the output does not contain the required domain names, you need to update the SSL certificate.
+
+  ```bash
+  openssl x509 -in appcircle-tls.crt -text -noout | grep -A 1 "X509v3 Subject Alternative Name"
+  ``` 
+
+:::
+
 Set your private key and public certificate to `nginx` environment variables in `global.yaml` as below.
 
 ```yaml
@@ -373,6 +387,20 @@ Let's assume we want to use `apps.spacetech.com` as custom domain for our sample
 
 Custom domain HTTPS settings are similar to the main domain conceptually. After enabling HTTPS for the main domain, it won't be hard to enable HTTPS for the Enterprise App Store custom domain.
 
+:::warning
+
+Ensure that the Enterprise App Store custom domain (`apps.spacetech.com` in our sample scenario) is included in the Subject Alternative Name (SAN) extension of your SSL certificate.
+
+- :warning: **Do not use** wildcard domains in the Common Name (CN). Wildcards must be specified only in the SAN extension as per SSL best practices.
+
+- If you saved the SSL certificate as a file, you can check the Subject Alternative Name (SAN) extension of the certificate by running the following command. If the output does not contain the required domain names, you need to update the SSL certificate.
+
+  ```bash
+  openssl x509 -in appcircle-tls.crt -text -noout | grep -A 1 "X509v3 Subject Alternative Name"
+  ```
+
+:::
+
 Configure the `storeWeb` section in your `global.yaml` as follows:
 
 <Tabs
@@ -578,6 +606,21 @@ If you don't have the `testerWeb` section defined in the `global.yaml` file, yo
 If you have a `testerWeb` section previously defined in the `global.yaml` file for some reason, you should update that section with the `customDomain` settings below instead of adding a new one.
 :::
 
+:::warning
+
+Ensure that the custom Testing Distribution domain (`dist.spacetech.com` in our sample scenario) is included in the Subject Alternative Name (SAN) extension of your SSL certificate.
+
+- :warning: **Do not use** wildcard domains in the Common Name (CN). Wildcards must be specified only in the SAN extension as per SSL best practices.
+
+- If you saved the SSL certificate as a file, you can check the Subject Alternative Name (SAN) extension of the certificate by running the following command. If the output does not contain the required domain names, you need to update the SSL certificate.
+
+  ```bash
+  openssl x509 -in appcircle-tls.crt -text -noout | grep -A 1 "X509v3 Subject Alternative Name"
+  ```
+
+:::
+
+
 <Tabs
 defaultValue="docker"
 groupId="container-engine"

docs/self-hosted-appcircle/install-server/linux-package/installation/pre-installation-checklist.md

@@ -137,6 +137,13 @@ You can see details in the [DNS Settings](/self-hosted-appcircle/install-server/
 - [ ] The SSL certificate private key must not have a passphrase.
 - [ ] Obtain the root CA certificate of your company.
 - [ ] Obtain the intermediate CA certificate of your company if it exists.
+- [ ] Ensure that each [required domain name](/self-hosted-appcircle/install-server/linux-package/installation/pre-installation-checklist.md#configure-the-dns-settings) is included in the Subject Alternative Name (SAN) extension of your SSL certificate, either listed individually or using a wildcard (e.g., `*.appcircle.spacetech.com`).  
+  - :warning: **Do not use** wildcard domains in the Common Name (CN). Wildcards must be specified only in the SAN extension as per SSL best practices.
+  - If you saved the SSL certificate as a file, you can check the Subject Alternative Name (SAN) extension of the certificate by running the following command. If the output does not contain the required domain names, you need to update the SSL certificate.
+
+    ```bash
+    openssl x509 -in appcircle-tls.crt -text -noout | grep -A 1 "X509v3 Subject Alternative Name"
+    ``` 
 
 ### Obtain the SMTP Settings