----- Original Message -----
From: "Brian Reichert" <reichert@numachi.com>
The core issue I'm trying to resolve surrounds the generation of a CSR. We're trying automate this process for a network appliance my employer sells.
When our appliance generates a CSR for itself, among the steps is to get a PTR record; by convention (or otherwise) these are rooted domain names.
When we generate a CSR, we're choosing to include the rooted domain name, as well as the other form (for now, I guess it should be called a FQDN, the version without the trailing dot).
The resulting issued certificate has both forms in the SubjectAltName field, and this allows both hostname forms to be used to establish an SSL connection to our server. They are considered distinct for the Subject verification phase.
My snap reaction is to say that nothing should ever be *trying* to compare a rooted F.Q.D.N. against a certificate; it is, as has been noted, merely command line/entry field shorthand to tell the local resolver where to quit; applications should all be stripping that trailing dot. Do you have evidence that the extra AltName with the trailing dot is operationally necessary? Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274