When generating certs for the hosts (not the cm server host), should the common name be the node's hostname (host1, host2...) or the web address (cm.example.com)?
@vibe, Use the fully-qualified host name (cm.example.com).
Common Name has been deprecated, though, so you should consider utilizing SubjectAltName as a repository for all the host names that clients may use to access your host
CN will work just fine, but may cause issues for clients such as Chrome or Firefox. See:
https://developers.google.com/web/updates/2017/03/chrome-58-deprecations "Remove Support for commonName matching in certificates" on that page.
While you can find a great deal more information out there, here is an example of a page that has more information:
Long story short:
One more thing... I should state that you need to make sure that the subjectAltName or CN contains the host to which the client is connecting in order for the client to validate the hostname. In CDH we deal with FQDNs, so that is what we would expect you to require.
Thanks for the reply bgooley.
Is it possible to add the fqdn of every host that will be in the cluster into one csr using subjectALTname and using the one cert on every host?