Support Questions

Find answers, ask questions, and share your expertise

Question about generating tls/ssl cert

Explorer

When generating certs for the hosts (not the cm server host), should the common name be the node's hostname (host1, host2...) or the web address (cm.example.com)?

3 REPLIES 3

Super Guru

@vibe,  Use the fully-qualified host name (cm.example.com).

 

Common Name has been deprecated, though, so you should consider utilizing SubjectAltName as a repository for all the host names that clients may use to access your host

 

CN will work just fine, but may cause issues for clients such as Chrome or Firefox.  See:

 

https://developers.google.com/web/updates/2017/03/chrome-58-deprecations "Remove Support for commonName matching in certificates" on that page.

 

While you can find a great deal more information out there, here is an example of a page that has more information:

 

http://wiki.cacert.org/FAQ/subjectAltName

 

Long story short:

  • If you use Common Name, make it the Fully-Qualified host name
  • Use subjectAltName if you want to make sure you are using current standards.
  • CM/CDH will support either method at this time
  • NOTE: if subjectAltName is found, CN is ignored (just be aware of that)

Super Guru

@vibe

 

One more thing... I should state that you need to make sure that the subjectAltName or CN contains the host to which the client is connecting in order for the client to validate the hostname.  In CDH we deal with FQDNs, so that is what we would expect you to require.

Explorer

Thanks for the reply bgooley.

 

Is it possible to add the fqdn of every host that will be in the cluster into one csr using subjectALTname and using the one cert on every host?

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.