Slightly confusing language used in irods docs
8 views
Skip to first unread message
alsmith20000
Mar 22, 2023, 5:06:39 PM3/22/23
to iRODS-Chat
Hi
just a small issue for the people that control the irods documentation:
On this page:
I think there is some misleading language used in the first of these two sentences:
What is important, especially since this is a certificate for a server host, is to make sure to use the FQDN of the server as the "common name" for the certificate (should be the same name that clients use as their irods_host), and do not add an email address. If you are working with a CA, you can also put host aliases that users might use to access the host in the 'subjectAltName' X.509 extension field if the CA offers this capability.
The confusion is about it being okay to have the hostname as one of the server alternative names, which is explained in the second sentence. The first sentence doesn't make the context clear though.
I'd suggest as alternative language:
----------------------
You should not add an email address in the certificate. If you are creating a self-signed certificate, it is important, especially since this is a certificate for a server host, to make sure to use the FQDN of the server as the "common name" for the certificate (should be the same name that clients use as their irods_host). If you are creating a CA-signed certificate, you can also add host aliases that users might use to access the host in the 'subjectAltName' X.509 extension field if the CA offers this capability.
--------------------
I'd suggest as alternative language:
----------------------
You should not add an email address in the certificate. If you are creating a self-signed certificate, it is important, especially since this is a certificate for a server host, to make sure to use the FQDN of the server as the "common name" for the certificate (should be the same name that clients use as their irods_host). If you are creating a CA-signed certificate, you can also add host aliases that users might use to access the host in the 'subjectAltName' X.509 extension field if the CA offers this capability.
--------------------
You might include some instructions that can be used to add alternative names; for reference I used this (but can't guarantee it is the most concise or perfect way):
in openssl req
include this flag:
-config openssl.cnf
save the following as openssl.cnf:
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = <hostname>
DNS.2 = <alt_hostname1>
DNS.3 = <alt_hostname2>
Kind regards
Alastair
Alastair
Kory Draughn
Mar 24, 2023, 8:10:40 AM3/24/23
to irod...@googlegroups.com
Hi Alastair,
I've captured this in an issue so we don't lose it.
You can track its progress at https://github.com/irods/irods_docs/issues/197.
Thanks,
Kory Draughn
Chief Technologist
iRODS Consortium
--
--
The Integrated Rule-Oriented Data System (iRODS) - https://irods.org
iROD-Chat: http://groups.google.com/group/iROD-Chat
---
You received this message because you are subscribed to the Google Groups "iRODS-Chat" group.
To unsubscribe from this group and stop receiving emails from it, send an email to irod-chat+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/irod-chat/98e784ce-f798-4302-895a-01d1f0c05498n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages