I am an old-timer with X.509 and was active long ago in the IETF PKIX work. That said, it is sad how long it has taken X.509 to get more commonly used and how much old cruft is carried forward that was supposedly deprecated.
For example in
To avoid problems while importing the certificate in Internet Explorer, the Common Name (CN) field should match the server FQDN.
This is wrong. CN was deprecated for subjectAltName (SAN). Of course openSSL command line does not support SAN, see
draft-moskowitz-ecdsa-pki sec 9.3
But it CAN and SHOULD be used. Minimally for ‘backwards compatibility’, CN and SAN should both occur.
Instead of single self-signed certs per server and service, what about a Nethserver installation pki? If not based on my drafts (for the ECDSA, Michael Richardson has pulled out all the scripts on my github
Hubert Kario email@example.com has on his github
And it has been a while, but I seem to recall that webmin had a pki feature (but it has been a few years since I used it).
What about CRL and OCSP? Client email certs. etc.
First step is what is the pki tree look like. What have you discussed here in the past. I did a search on x.509 and did not find any discussion on the subject (pun intended), but my search foo is known to be weak.
So please fill me in