Strange that it is not clarified somewhere…
I’m in doubt, what Subject and what subjectAltNames:DNS must be in CSR if i generate it by hands?
For example, if my configuration is
_xmpp-server._tcp.domain.org IN SRV 5 0 5269 jabber.domain.org.
(domain name != hostname)
So what combination of fileds in CSR will be right?
Variants for Subject:
-
Subject=emalAddress=somemail@domain.org,CN=domain.org,O=SomeOrg,L=SomeLocality,C=RU
-
Subject=emalAddress=somemail@domain.org,CN=*.domain.org,O=SomeOrg,L=SomeLocality,C=RU
-
Subject=emalAddress=somemail@domain.org,CN=jabber.domain.org,O=SomeOrg,L=SomeLocality,C=RU
-
Subject=CN=*.domain.org,O=SomeOrg,L=SomeLocality,C=RU
Variants for subjectAltNames:DNS
-
subjectAltNames:DNS:*.domain.org
-
subjectAltNames:DNS:jabber.domain.org
I think it is very important and must be placed somewhere in documentation, because s2s strongly depends on the resulting signed certificate filelds