Support DNS Alias–Only Certificates for RSSO AIM

Support DNS Alias–Only Certificates for RSSO AIM

Issue

When configuring AVEVA Identity Manager (AIM) on a Redundant Single Sign-On (RSSO) node (PI Server 2024 R2, PCS 8.2.1), the TLS certificate must include the machine FQDN in the SAN list.

Certificates that contain only DNS aliases — even when those aliases correctly resolve to the host and represent the official service endpoint — are rejected.

Enhancement Request

RSSO AIM must support TLS certificates that contain DNS aliases in the SAN list without requiring the internal machine FQDN to be included.

The current implementation enforces an unnecessary dependency on internal hostnames and breaks common enterprise security and PKI design principles, where:

• Services are exposed via approved DNS aliases

• Internal machine names are intentionally abstracted

• Certificate issuance policies prohibit inclusion of internal FQDNs

Requiring the machine FQDN in the SAN list is not aligned with modern enterprise TLS practices and creates avoidable architectural constraints.

This behavior should be corrected so that RSSO AIM validates certificates based on the configured service endpoint rather than enforcing the underlying machine name.

The product should support standard, enterprise-grade certificate deployment models without requiring internal hostname exposure or design compromises.