[openssl-users] Subject CN and SANs
Walter H.
Walter.H at mathemainzel.info
Sun Dec 23 11:53:26 UTC 2018
I tried the following
the certificate had a CN of test.example.com and in subjectAltNames
dNS were
test.example.com and test.example.net
when the Apache ServerName is test.example.net I get this warning
[Sun Dec 23 12:45:03 2018] [warn] RSA server certificate CommonName (CN)
`test.example.com' does NOT match server name!?
so the CN matters ...
so the server behavior is something different to the behavior of the
client ...
Walter
On 23.12.2018 10:44, Kyle Hamilton wrote:
> Does Apache only examine CN=, or does it also check subjectAltNames dNS entries?
>
> -Kyle H
>
> On Sun, Dec 23, 2018 at 3:25 AM Walter H.<Walter.H at mathemainzel.info> wrote:
>> On 23.12.2018 03:47, Salz, Rich via openssl-users wrote:
>>> > >. New certificates should only use the subjectAltName extension.
>>>
>>>> Are any CAs actually doing that? I thought they all still included subject.CN.
>>> Yes, I think commercial CA's still do it. But that doesn't make my statement wrong :)
>>>
>> Apache raises a warning at the following condition
>>
>> e.g. a virtual Host defines this:
>>
>> ServerName www.example.com:443
>>
>> and the SSL certificate has a CN which does not correspond to
>> CN=www.example.com, e.g. CN=example.com
>>
>> then the warning looks like this
>>
>> [Fri Dec 07 07:08:19.393876 2018] [ssl:warn] [pid 29746] AH01909:
>> www.example.com:443:0 server certificate does NOT include an ID which
>> matches the server name
>>
>> and fills up the logs
>>
>> Walter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3491 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20181223/91b85213/attachment.bin>
More information about the openssl-users
mailing list