Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Invalid Common Name when using a SAN certificate

Tags:

certificate

ssl

ssl-certificate

I have generated a certificate for an internal server that is also accessible externally. According to this SO answer the CN and the SAN fields compliment each other and so accordingly I set the CN to server.domain.local and in the SAN I have DNS:server.domain.tld

However, with Chrome at least, I can browse to server.domain.tld (SAN entry) without error but I get a common name mismatch error at server.domain.local (CN)

Is this an implementation error in NSS on Chrome or have I done something wrong? Should I have both server.domain.local and server.domain.tld in the SAN field?

like image 398
JonoCoetzee Avatar asked Sep 22 '14 09:09

JonoCoetzee

1 Answers

the CN and the SAN fields compliment each other and so accordingly I set the CN to server.domain.local and in the SAN I have DNS:server.domain.tld

No (but that post is kind of old now).

Placing a DNS name is the Common Name (CN) is deprecated by both the IETF and CA/Browser Forums. You should place all DNS names in the Subject Alternate Name (SAN). Use the CN for a friendly name like "Example LLP" since its displayed to the user.

According to the CA/Browser Baseline Requirements (BR), a DNS name in the CN must also be present in the SAN. See CA/B BR, Section 9.2.

Chrome at least, I can browse to server.domain.tld (SAN entry) without error but I get a common name mismatch error at server.domain.local (CN)

Chrome is correctly rejecting the certificate if server.domain.local is present in the CN, but is not present in the SAN. Its a violation of the CA/B BR if its not present in both.

Should I have both server.domain.local and server.domain.tld in the SAN field

Yes, place both DNS names in the SAN. Don't put a DNS name in the CN. Use the CN for a friendly name.

For completeness, CA/B stands for CAs and Browsers. They have their own little closed club, and they have their own set of policies for issuing certificates. Don't expect browsers to do things as specified in the IETF docs.

And if you are validating X509 certificates used in the wild issued by a CA that is a member of CA/B, then you should validate using the CA/B BR, and not the IETF docs.

like image 120
jww Avatar answered Sep 19 '22 04:09

jww
Sign in to Comment

Related questions

Can I modify a private key validity?
Office 365 Rest API - Daemon week authentication
How do I get docker cloud (formerly tutum) and haproxy to use SSL?
How to redirect HTTPS requests to HTTP without a certificate (Apache VirtualHosts) and avoid a certificate warning
Charles Proxy - Map remote to localhost from https to http
Ubuntu wsl2 git getting "The remote end hung up unexpectedly" on large repos
Can I reuse HttpWebRequest without disconnecting from the server?
Difference between ssl_context options in Python Flask
How to force Apache 2.2 to send the full certificate chain?
Mercurial: "remote: ssl required" even when pushing to HTTPS repository
Apache Camel Http and SSL
How to check if curl has support for ssl?
gmail smtp not working in my hosting using codeigniter framework
iOS 5 : https ( ASIHTTPRequest) stop working
CAS service ticket validate failed
Verifying HTTPS certificates with urllib.request
Certificate not found on Azure Web App
Screen scraping over SSL with .NET
Keystore password for Jetty 7.0 SSL configuration
Removing self signed certificate from my store

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!