When a certificate is used as a client certificate (either
node.crt for the node if we did not detect a separate
client.node.crt), the username is what needs to be verified and is stored in
When a certificate is used as a server certificate (only
node.crt), the list of addresses and DNS names used to reach it must be in the
Subject Alternative Names field.
I agree with you that the dual-purpose
node.crt is a little odd, which is why we’ve just added the possibility to split node certificates into server-side (
node.crt) and client-side (
However, the use of the CN to store a username for a client certificate is perfectly normal.
Furthermore, requiring the hostname (which one? in some of our deployments, there are up to 5 IP addresses or DNS names that can reach a node) to be in CN has been deprecated for ages. The hostname must be found in the combination of CN and
Subject Alternative Names.