I think there is some misleading language used in the first of these two sentences:
What is important, especially since this is a certificate for a server host, is
to make sure to use the FQDN of the server as the "common name" for the
certificate (should be the same name that clients use as their irods_host), and
do not add an email address. If you are working with a CA, you can also put host
aliases that users might use to access the host in the 'subjectAltName' X.509
extension field if the CA offers this capability.
The confusion is about it being okay to have the hostname as one of the server alternative names, which is explained in the second sentence. The first sentence doesn't make the context clear though.
I'd suggest as alternative language:
You should not add an email address in the certificate. If you are creating a
self-signed certificate, it is important, especially since this is a certificate
for a server host, to make sure to use the FQDN of the server as the "common name"
for the certificate (should be the same name that clients use as their irods_host).
If you are creating a CA-signed certificate, you can also add host aliases that
users might use to access the host in the 'subjectAltName' X.509 extension field
if the CA offers this capability.
You might include some instructions that can be used to add alternative names; for reference I used this (but can't guarantee it is the most concise or perfect way):
in openssl req, include this flag: -config openssl.cnf
Hi just a small issue for the people that control the irods documentation:
On this page: https://docs.irods.org/4.2.8/plugins/pluggable_authentication/#server-ssl-setup
I think there is some misleading language used in the first of these two sentences:
The confusion is about it being okay to have the hostname as one of the server alternative names, which is explained in the second sentence. The first sentence doesn't make the context clear though.
I'd suggest as alternative language:
You might include some instructions that can be used to add alternative names; for reference I used this (but can't guarantee it is the most concise or perfect way):
openssl req, include this flag:-config openssl.cnfsave the following as
openssl.cnf:Kind regards Alastair
(Originally posted at https://groups.google.com/g/iROD-Chat/c/33rT77bqem0)