[161017] in North American Network Operators' Group
Re: looking for terminology recommendations concerning non-rooted
daemon@ATHENA.MIT.EDU (Jay Ashworth)
Fri Feb 22 12:41:51 2013
Date: Fri, 22 Feb 2013 12:41:33 -0500 (EST)
From: Jay Ashworth <jra@baylink.com>
To: NANOG <nanog@nanog.org>
In-Reply-To: <20130222171710.GB99258@numachi.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
----- Original Message -----
> From: "Brian Reichert" <reichert@numachi.com>
> The core issue I'm trying to resolve surrounds the generation of a
> CSR. We're trying automate this process for a network appliance
> my employer sells.
>
> When our appliance generates a CSR for itself, among the steps is
> to get a PTR record; by convention (or otherwise) these are rooted
> domain names.
>
> When we generate a CSR, we're choosing to include the rooted domain
> name, as well as the other form (for now, I guess it should be
> called a FQDN, the version without the trailing dot).
>
> The resulting issued certificate has both forms in the SubjectAltName
> field, and this allows both hostname forms to be used to establish
> an SSL connection to our server. They are considered distinct for
> the Subject verification phase.
My snap reaction is to say that nothing should ever be *trying* to
compare a rooted F.Q.D.N. against a certificate; it is, as has been
noted, merely command line/entry field shorthand to tell the local
resolver where to quit; applications should all be stripping that
trailing dot.
Do you have evidence that the extra AltName with the trailing dot
is operationally necessary?
Cheers,
-- jra
--
Jay R. Ashworth Baylink jra@baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII
St Petersburg FL USA #natog +1 727 647 1274
