--On Wednesday, May 10, 2017 10:49 AM -0700 Ryan Tandy <ryan(a)nardis.ca&gt; wrote: > On Wed, May 10, 2017 at 09:32:59AM -0700, Quanah Gibson-Mount wrote: >> RFC 6761 specifically notes that "localhost." is in fact a domain name >> (Section 6.3). Therefore, my certificates are in fact correct, and >> the OpenLDAP code check is indeed a bug. > > "localhost." is a perfectly valid FQDN (as is the relatively common > "localhost.localdomain."), but from earlier in the thread I gathered your > system's FQDN is actually "u16build." or "u16build.some.domain.". The FQDN of the system is immaterial. The point is to have a certificate without *any* reference to the system hostname, and be entirely based on localhost. The RFCs seem to indicate that is perfectly legitimate. It is the OpenLDAP code check that breaks this ability.