RFC 6125 which in turn mentions RFC 4513.
Thanks.
From RFC 6125:
6.4.4. Checking of Common Names
As noted, a client MUST NOT seek a match for a reference identifier
of CN-ID if the presented identifiers include a DNS-ID, SRV-ID,
URI-ID, or any application-specific identifier types supported by the
client.
Therefore, as I noted, the certcn is immaterial since I have a DNS: value
specified, and it is then required that the certcn be ignored. The rest
of the RFC doesn't really cover special cases like localhost. I still
see nothing in the RFC that states what's I'm doing is invalid. It does
appear to be outside of what's normally done, but that's not surprising.