Support Questions

Find answers, ask questions, and share your expertise

Question about generating tls/ssl cert


When generating certs for the hosts (not the cm server host), should the common name be the node's hostname (host1, host2...) or the web address (


Super Guru

@vibe,  Use the fully-qualified host name (


Common Name has been deprecated, though, so you should consider utilizing SubjectAltName as a repository for all the host names that clients may use to access your host


CN will work just fine, but may cause issues for clients such as Chrome or Firefox.  See: "Remove Support for commonName matching in certificates" on that page.


While you can find a great deal more information out there, here is an example of a page that has more information:


Long story short:

  • If you use Common Name, make it the Fully-Qualified host name
  • Use subjectAltName if you want to make sure you are using current standards.
  • CM/CDH will support either method at this time
  • NOTE: if subjectAltName is found, CN is ignored (just be aware of that)

Super Guru



One more thing... I should state that you need to make sure that the subjectAltName or CN contains the host to which the client is connecting in order for the client to validate the hostname.  In CDH we deal with FQDNs, so that is what we would expect you to require.


Thanks for the reply bgooley.


Is it possible to add the fqdn of every host that will be in the cluster into one csr using subjectALTname and using the one cert on every host?