Hi Calum, My surprise was to find that having the DNS name in CN was not sufficient when a SAN (with IP) is present. Apparently it's the old way of automatically putting the DNS name in CN and these days it's preferred to have it in the SAN. If the infrastructure doesn't require pnfs (ie mounting by IP) then it doesn't matter where the DNS name is put in the certificate whether it is in CN or the SAN. However, I found out that for pnfs server like ONTAP, the certificate must contain SAN with ipAddress and dnsName extensions regardless of having DNS in CN. I have not tried doing wildcards (in SAN for the DNS name) but I assumed gnuTLS would accept them. I should try it.
