Apparently Apple iOS and iPadOS VPN clients now require a subjectAltName in the client cert, not just the CN, to set up IKEv2 VPN tunnels.* The subjectAltName can be the same as the CN; it just has to be present.
Questions about this: 1. Does the 'ikectl ca <CAname> certificate <hostname> create' command support creation of X.509 certs with a subjectAltName defined in addition to the CN? If so, what's the syntax? 2. Can a separate standalone CA just create the certs with the necessary SAN fields? Is it as easy as just dropping the root cert, the client certs, and keys in these respective directories? /etc/iked/ca /etc/iked/certs /etc/iked/private If not, what else is needed? Thanks! dn * https://discussions.apple.com/thread/250760557
