Tuesday, November 7, 2017

CN and Subject Alternative Names in SSL/TLS certificates

In this post I will show you why the  CN is not very import if you are using  SubjectAltNames.

Most browsers ( chrome, Opera, vivaldi ,  FF ) do NOT  care about the subject line CN if the certificate is a SAN certificate

Take this SelfSigned  certificate for various web  1plus1eq2.com. It has the following alt.Names installed in the certificate.











  Take note of the duplicate  alternate btw  ;) 








This  certificate when load against a web_site,  and once enabled will load with no  certificate error when using any one of the alternate which is all good and normal.

The CN for the certificate was simply labeled as " tstupidcname"







Alt.Name


chrome


firefox


vivaldi


Safari





If you  try to load the site and use the CN & with firefox for example, it will throw a error and even tell you want the certificate protects the sites listed in the Alt.Name sections.

cool ;)





So what you need to understand,  that any issued  x.509v3  certificate that has the Alt.Name extensions, " the web browser will ignore the  CN field in the subject line and will NOT fallback to that CN "


Chrome also  exhibits a error also if you try to use the CN;



But look here; Safari10.1.2 loads the sites with no error when using the CN







Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \


No comments:

Post a Comment