Little bit of context, we are seeing this finding a lot. We use wildcard certificates on public facing websites.
The finding is titled:
"X.509 Certificate Subject CN Does Not Match the Entity Name"
Below, I have added further details about the report on the finding from the scan (in Block quotes) and I have provided my comments underneath. I hope that someone with more experience may provide feedback to ensure my thought process is valid and that this is in fact a false positive.
From research and reviewing the indicators I believe it to be a false positive for the following reasons (please note, I have changed the domain name):
Subject CN *.somedomain.com does not match target name specified in the site.
Site refers to the name given to the asset within the scan configuration. In this case all assets are scanned by their IP address. The IP address doesn't match the CN.
Subject CN *.somedomain.com could not be resolved to an IP address via DNS lookup
Given that wildcard certificates are used, wildcard domain will not resolve with a DNS look up.
Subject Alternative Name *.somedomain.com does not match target name specified in the site.
The IP address is not listed as an alternative name. No match.
Subject Alternative Name somedomain.com does not match target name specified in the site.
Once again, IP is not listed and therefore will not match the domain name.
Keep in mind, that if the site is ever visited from a valid url, for example, client1.mydomain.com the certficate is valid and works as expected. I just believe that this is mainly due to the reasons listed above and given the nature of wildcard certificates.
Any comments appreciated and also if there are any other methods I may check for validity to provide assurance to my team would be greatly appreciated.
Thank you for your input.