hi Olga,
A few weeks ago you and Chuck were discussing duplication requirements
of the hostname in the CN field versus SAN extension in the certificate:
https://lore.kernel.org/linux-nfs/CAN-5tyENK71L1C=6NwdB4mkxxf1qYZ2-4e-p8FQM=SmA3tMT_g@xxxxxxxxxxxxxx/
For what it's worth, my own testing showed that the SAN DNS: element
doesn't need to duplicate the CN.
This is especially relevant in the case where the full DNS name is > 64
chars, which is not strictly allowed as a CN (and openssl for example
enforces that limit).
In that case, it works to put the short hostname in the CN, and the full
DNS name in a SAN DNS: extension. There is no need to duplicate the CN
entry in the SAN extension.
I also noted that using a wildcard CN (e.g. "*.acme.com") does not work.
I've yet to test mounting by IP, but will do so soon.
best wishes,
calum.
