#2578 (comment)

Similar to the "soft-failures" we have on image import, we could probably decode the certificate and verify that either the the CN or SAN covers the computed silo url {silo}.sys.{domain}. Less useful for long term users, but likely nice for initial silo creation.

Seems like a quick win, design work is minimal since we can just reuse the pattern from image import. @augustuswm have you got a test cert you could send to play with.