2
I have my own X.509 CA. When issuing certificates for hosts, if I have
Subject: .../CN=foobox.grawity.tldsubjectAltName: DNS:foobox.local,do I still have to put DNS:foobox.grawity.tld as a subjectAltName?
(I noticed that Chrome sometimes uses the first sAN instead of the subject common name in error messages.)
user1686
Posted 2011-01-07T06:12:15.457
Reputation: 283 655
2
RFC 2818 says:
If a subjectAltName extension of type dNSName is present, that MUST
be used as the identity. Otherwise, the (most specific) Common Name
field in the Subject field of the certificate MUST be used. Although
the use of the Common Name is existing practice, it is deprecated and
Certification Authorities are encouraged to use the dNSName instead.
Which means that the CN will be ignored if the subjectAltName is present, so yes, you do need to add foobox.grawity.tld as a subjectAltName entry.
Eric
Posted 2011-01-07T06:12:15.457
Reputation: 168
0
Normally a client will want to see an exact match between the host name it thinks it's looking at and either the subjectDN.CommonName or a subjectAltName.
Ram
Posted 2011-01-07T06:12:15.457
Reputation: 977