Add another case to the Stanford ssl-key naming convention

If there are multiple SSL private keys for the same host-based CN,
an application name can be added as an additional component of the
name.

Change-Id: I06e25359b291a77a7dbca1a7f3db84afb2b16ddd
Reviewed-on: https://gerrit.stanford.edu/754
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>

1 files changed, 7 insertions, 1 deletions

diff --git a/docs/stanford-naming b/docs/stanford-naming
index f88d148..aa59f68 100644
--- a/docs/stanford-naming
+++ b/docs/stanford-naming
@@ -119,7 +119,7 @@ Object Naming
 
         (OLD: <group>-<server>-ssh-<type>)
 
-    ssl-key/<server>
+    ssl-key/<server>[/<application>]
 
         Stores the SSL X.509 certificate private key for <server>.  Used
         for Apache, Postfix, LDAP, and similar cases where the certificate
@@ -130,6 +130,12 @@ Object Naming
         virtual hosts, for example, or because the certificate is for a
         load-balanced name).
 
+        An optional <application> component may be added if there are
+        multiple certificates with the same host name as the CN but with
+        different private keys.  (This may happen if, for example,
+        multiple services are running on the same FQDN but should have
+        isolated security contexts.)
+
         Use ssl-key/starYYYY.stanford.edu for the key for the
         *.stanford.edu certificate, where YYYY is the expiration year.