Now that I've got 2.1.22 more or less working (with my own CA-signed
certificates), the next obstacle is servers having several names. For
example, ldap.example.com/ldap.au.example.com/server.example.com would all
be the same machine.
I've perused the archives, and found several messages referring to this
(but in reference to round-robin DNS), but nothing along the lines of
"this is how you do it". What I have been able to find implies that a
single alternate name can be given (and unless I change a lot of things
over which I have limited control, I need several), but muddling around in
RFC2830 (section 3.6) reveals that subjectAltName is to be used (if
present) in preference to the certificate name, thereby defeating the
purpose of alternate names...
So, how have people done this? Assume I know nothing about X.509...
PS: The X.509 Style Guide by Peter Gutmann is a hoot!