I am a little puzzled by the statements in section 3.2.3 commonName of GFD125. "For certificates issued to networked entities, typically the (primary) FQDN of the server is included in the commonName. For regular network entity certificates, there MUST NOT be any additional characters in the commonName[25]. [25]Some components of some grid middleware also recognize Kerberos-style 'service' names in the CN as well that look like 'servicename/fqdn'. In the majority of the cases, a normal server certificate without the 'servicename/'-qualifier can be used as well – although the documentation of the middleware will not always state that clearly. It is recommended to phase out the 'servicename/'-qualifiers where possible." This seems to take the point of view that there is only a single network entity running a a given host, when there can be many network entities on one host, bound to different ports and with different people responsible for administering them. I would think it is a better strategy to encourage the use of 'servicename' qualifiers in the CN for different entities on the same host and then require the use of DNSName in SubjectAltName for those people that want to check an FQDN. I think it is clearly NOT a good idea to force the reuse of a single host certificate for many different services running on that host. In this case you either have all those services running in the same UID, or you make multiple copies of the host private key, OR issue multiple certificates with the same CN that are used for different entities (policy violation). Doug