looking for terminology recommendations concerning non-rooted FQDNs
Jay Ashworth
jra at baylink.com
Fri Feb 22 17:41:33 UTC 2013
----- Original Message -----
> From: "Brian Reichert" <reichert at numachi.com>
> The core issue I'm trying to resolve surrounds the generation of a
> CSR. We're trying automate this process for a network appliance
> my employer sells.
>
> When our appliance generates a CSR for itself, among the steps is
> to get a PTR record; by convention (or otherwise) these are rooted
> domain names.
>
> When we generate a CSR, we're choosing to include the rooted domain
> name, as well as the other form (for now, I guess it should be
> called a FQDN, the version without the trailing dot).
>
> The resulting issued certificate has both forms in the SubjectAltName
> field, and this allows both hostname forms to be used to establish
> an SSL connection to our server. They are considered distinct for
> the Subject verification phase.
My snap reaction is to say that nothing should ever be *trying* to
compare a rooted F.Q.D.N. against a certificate; it is, as has been
noted, merely command line/entry field shorthand to tell the local
resolver where to quit; applications should all be stripping that
trailing dot.
Do you have evidence that the extra AltName with the trailing dot
is operationally necessary?
Cheers,
-- jra
--
Jay R. Ashworth Baylink jra at baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII
St Petersburg FL USA #natog +1 727 647 1274
More information about the NANOG
mailing list