----- Original Message ----- > From: "Brian Reichert" <reich...@numachi.com>
> The core issue I'm trying to resolve surrounds the generation of a > CSR. We're trying automate this process for a network appliance > my employer sells. > > When our appliance generates a CSR for itself, among the steps is > to get a PTR record; by convention (or otherwise) these are rooted > domain names. > > When we generate a CSR, we're choosing to include the rooted domain > name, as well as the other form (for now, I guess it should be > called a FQDN, the version without the trailing dot). > > The resulting issued certificate has both forms in the SubjectAltName > field, and this allows both hostname forms to be used to establish > an SSL connection to our server. They are considered distinct for > the Subject verification phase. My snap reaction is to say that nothing should ever be *trying* to compare a rooted F.Q.D.N. against a certificate; it is, as has been noted, merely command line/entry field shorthand to tell the local resolver where to quit; applications should all be stripping that trailing dot. Do you have evidence that the extra AltName with the trailing dot is operationally necessary? Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274