Support Questions

vibe · ‎06-04-2018

When generating certs for the hosts (not the cm server host), should the common name be the node's hostname (host1, host2...) or the web address (cm.example.com)?

bgooley · ‎06-04-2018

@vibe, Use the fully-qualified host name (cm.example.com).

Common Name has been deprecated, though, so you should consider utilizing SubjectAltName as a repository for all the host names that clients may use to access your host

CN will work just fine, but may cause issues for clients such as Chrome or Firefox. See:

https://developers.google.com/web/updates/2017/03/chrome-58-deprecations "Remove Support for commonName matching in certificates" on that page.

While you can find a great deal more information out there, here is an example of a page that has more information:

http://wiki.cacert.org/FAQ/subjectAltName

Long story short:

If you use Common Name, make it the Fully-Qualified host name
Use subjectAltName if you want to make sure you are using current standards.
CM/CDH will support either method at this time
NOTE: if subjectAltName is found, CN is ignored (just be aware of that)

bgooley · ‎06-04-2018

@vibe

One more thing... I should state that you need to make sure that the subjectAltName or CN contains the host to which the client is connecting in order for the client to validate the hostname. In CDH we deal with FQDNs, so that is what we would expect you to require.

vibe · ‎06-04-2018

Thanks for the reply bgooley.

Is it possible to add the fqdn of every host that will be in the cluster into one csr using subjectALTname and using the one cert on every host?

Support Questions

Question about generating tls/ssl cert