[openssl-users] Subject CN and SANs

Kyle Hamilton aerowolf at gmail.com
Sun Dec 23 09:44:09 UTC 2018


Does Apache only examine CN=, or does it also check subjectAltNames dNS entries?

-Kyle H

On Sun, Dec 23, 2018 at 3:25 AM Walter H. <Walter.H at mathemainzel.info> wrote:
>
> On 23.12.2018 03:47, Salz, Rich via openssl-users wrote:
> >     >  >. New certificates should only use the subjectAltName extension.
> >
> >>     Are any CAs actually doing that? I thought they all still included subject.CN.
> >
> > Yes, I think commercial CA's still do it.  But that doesn't make my statement wrong :)
> >
> Apache raises a warning at the following condition
>
> e.g. a virtual Host defines this:
>
> ServerName  www.example.com:443
>
> and the SSL certificate has a CN which does not correspond to
> CN=www.example.com, e.g.  CN=example.com
>
> then the warning looks like this
>
> [Fri Dec 07 07:08:19.393876 2018] [ssl:warn] [pid 29746] AH01909:
> www.example.com:443:0 server certificate does NOT include an ID which
> matches the server name
>
> and fills up the logs
>
> Walter
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


More information about the openssl-users mailing list