14

Creating a certificate request for my exchange server I am wondering if sans and CNs are case sensitive?

kimo pryvt
  • 469
  • 4
  • 6
  • 12
  • No, they are not, at least theoretically. The convention is to use all lower case. – Xander Feb 08 '17 at 22:15
  • Microsoft has a tendency to unofficially require uppercase when deploying thumbprints via GPO for something like RemoteApp. Outside of that, most everyone I know keeps them lowercase. – Mike H Mar 03 '20 at 22:26

1 Answers1

13

No, they are not case sensitive. To quote RFC 5280 (emphasis mine):

When the subjectAltName extension contains a domain name system
label, the domain name MUST be stored in the dNSName (an IA5String).
The name MUST be in the "preferred name syntax", as specified by
Section 3.5 of RFC1034 and as modified by Section 2.1 of
RFC1123. Note that while uppercase and lowercase letters are
allowed in domain names, no significance is attached to the case.

The referenced RFC 1034 echos this:

Note that while upper and lower case letters are allowed in domain names, no significance is attached to the case. That is, two names with the same spelling but different case are to be treated as if identical.

(The modification referenced as part of RFC 1123 was to allow the first character of a legal host name to be a digit, and is unrelated to case.)

Community
  • 1
gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • For latest Chrome browser, CN is case sensitive. Check by yourself: http://fe.thenetworksolution.it – Marco Marsala Nov 22 '18 at 12:13
  • @MarcoMarsala that certificate is invalid because it's signed by a non-trusted CA ("CA Agenzia delle Entrate"), not because of case. There are helpful instructions for trusting their CA at https://www.agenziaentrate.gov.it/wps/content/nsilib/nsi/strumenti/software+di+compilazione/verificafirma should you choose to do so... of course, it's telling that the cert for THAT site is signed by DigiCert. – gowenfawr Nov 24 '18 at 19:01
  • Obviously I already trusted such CA. This was reported as Chrome bug: https://bugs.chromium.org/p/chromium/issues/detail?id=907936#c1 – Marco Marsala Nov 26 '18 at 09:46
  • 2
    @MarcoMarsala after trusting the root, you are getting NET::ERR_CERT_COMMON_NAME_INVALID because there is no matching SAN entry in the cert (there are, in fact, no Subject Alternative Name entries at all in that cert). Chrome removed support for CommonName matching as described at https://groups.google.com/a/chromium.org/forum/m/#!topic/security-dev/IGT2fLJrAeo . Case sensitivity is not the issue. – gowenfawr Nov 26 '18 at 15:07