[openssl-users] Subject CN and SANs
Walter H.
Walter.H at mathemainzel.info
Sun Dec 23 09:24:55 UTC 2018
On 23.12.2018 03:47, Salz, Rich via openssl-users wrote:
> > >. New certificates should only use the subjectAltName extension.
>
>> Are any CAs actually doing that? I thought they all still included subject.CN.
>
> Yes, I think commercial CA's still do it. But that doesn't make my statement wrong :)
>
Apache raises a warning at the following condition
e.g. a virtual Host defines this:
ServerName www.example.com:443
and the SSL certificate has a CN which does not correspond to
CN=www.example.com, e.g. CN=example.com
then the warning looks like this
[Fri Dec 07 07:08:19.393876 2018] [ssl:warn] [pid 29746] AH01909:
www.example.com:443:0 server certificate does NOT include an ID which
matches the server name
and fills up the logs
Walter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3491 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20181223/17a1286f/attachment-0001.bin>
More information about the openssl-users
mailing list