--On Wednesday, May 10, 2017 4:21 PM +0100 Howard Chu hyc@symas.com wrote:
No. One or the other must match, but the CN must be an FQDN. The point of alternatives is to support wildcards, aliases, and non-DNS name forms (such as IP address).
RFC reference?
Unfortunately, I can't do an IP based cert either, since I've no idea what "localhost" will actually map to on the system.
Sorry but that makes no sense. "localhost" is 127.0.0.1. Always.
Wish that were true, but I've come across installations where that wasn't the case (I've seen 127.0.0.2 for example). Also, on an IPv6 only machine, it could be ::1 (Although again, I've seen it be other IPv6 addresses as well).
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com