Hmmm ... I see. The server certificate's CN is compared to the server's
name as it is provided to the client. This is unlike the behavior of
kerberos, which performs a reverse lookup of the server's IP to locate
it's principal. I suppose this solves my problem creating unique DNs
for each of my
I run several SSL enabled services on a single host. Especially since
some of these don't run as root, I want to create a different
certificate, with a different DN, for each service. However, each
service certificates' CN must be the FQDN of the host. The kerberos
principal syntax, "service/FQ
