[openssl-users] Subject CN and SANs

Walter H. Walter.H at mathemainzel.info
Sun Dec 23 11:53:26 UTC 2018

I tried the following

the certificate had a CN of    test.example.com   and in subjectAltNames 
dNS were
test.example.com  and test.example.net

when the Apache ServerName is   test.example.net  I get this warning

[Sun Dec 23 12:45:03 2018] [warn] RSA server certificate CommonName (CN) 
`test.example.com' does NOT match server name!?

so the CN matters ...

so the server behavior is something different to the behavior of the 
client ...


On 23.12.2018 10:44, Kyle Hamilton wrote:
> Does Apache only examine CN=, or does it also check subjectAltNames dNS entries?
> -Kyle H
> On Sun, Dec 23, 2018 at 3:25 AM Walter H.<Walter.H at mathemainzel.info>  wrote:
>> On 23.12.2018 03:47, Salz, Rich via openssl-users wrote:
>>>      >   >. New certificates should only use the subjectAltName extension.
>>>>      Are any CAs actually doing that? I thought they all still included subject.CN.
>>> Yes, I think commercial CA's still do it.  But that doesn't make my statement wrong :)
>> Apache raises a warning at the following condition
>> e.g. a virtual Host defines this:
>> ServerName  www.example.com:443
>> and the SSL certificate has a CN which does not correspond to
>> CN=www.example.com, e.g.  CN=example.com
>> then the warning looks like this
>> [Fri Dec 07 07:08:19.393876 2018] [ssl:warn] [pid 29746] AH01909:
>> www.example.com:443:0 server certificate does NOT include an ID which
>> matches the server name
>> and fills up the logs
>> Walter

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3491 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20181223/91b85213/attachment.bin>

More information about the openssl-users mailing list