Hi
just a small issue for the people that control the irods documentation:
On this page:
I think there is some misleading language used in the first of these two sentences:
What is important, especially since this is a certificate for a server host, is to make sure to use the FQDN of the server as the "common name" for the certificate (should be the same name that clients use as their irods_host), and do not add an email address. If you are working with a CA, you can also put host aliases that users might use to access the host in the 'subjectAltName' X.509 extension field if the CA offers this capability.
The confusion is about it being okay to have the hostname as one of the server alternative names, which is explained in the second sentence. The first sentence doesn't make the context clear though.
I'd suggest as alternative language:
----------------------
You should not add an email address in the certificate. If you are creating a self-signed certificate, it
is important, especially since this is a certificate for a server host, to make sure to use the FQDN of the server as the "common name" for
the certificate (should be the same name that clients use as their
irods_host). If you are creating a CA-signed certificate,
you can also add host aliases that users might use to access the host in
the 'subjectAltName' X.509 extension field if the CA offers this
capability.
--------------------
You might include some instructions that can be used to add alternative names; for reference I used this (but can't guarantee it is the most concise or perfect way):
in openssl req
include this flag:
-config openssl.cnf
save the following as openssl.cnf:
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = <hostname>
DNS.2 = <alt_hostname1>
DNS.3 = <alt_hostname2>
Kind regards
Alastair