Can server and client both use a certificate with the same CN?

tls

I am working on implementing TLS for a Client-Server application. But, the problem is both client and server are in same server: both communicate with just a port number.

So what should the common name (CN) be for agent and server? If I use different name other than the IP of the system, I am get a warning message for "untrusted certificate warning". If I use same CN name, the application is failing.


In TLS, the client certificate and the server certificate live in completely distinct worlds:

  • The server certificate is validated by the client.
  • The client certificate (when the server actually asks for a client certificate) is validated by the server.

There is no relation between these two certificates. There is no property that links them together. The two certificates are owned, sent, received and processed by distinct entities.

For a TLS connection to succeed, the server certificate must please the client; in particular, the client normally expects the intended server name to appear somewhere within the certificate, either in the Subject Alt Name extension, or, if there is no such extension, in the Common Name. This is specified in RFC 2818, section 3.1. This applies mostly if the connection is done through an https:// URL (the server name, as it appears in the URL, must also be in the server certificate). Notably, this match is by name, not by IP address; if client and server are on the same machine, then the URL should use the name "localhost" (not the IP address 127.0.0.1), and "localhost" should be part of the server certificate. Of course, this is not the only condition; the client should also be able to validate the certificate relatively to a trusted authority.

Thanks to my abilities in haruspicy, I can make the hypothesis that your application locates certificates that it uses through the Common Name, so if you have two certificates with the same Common Name, the client or the server (or both) may choose the "wrong one".

Related

Logwatch Emails marked as spam; how to stop reverse DNS on bot hosts?
nginx not redirecting to https
Impossible to disable TLS 1.0 and 1.1
dnsmasq on virbr0 (libvirt) and network manager
Throttle or limit resources used by a user in a database?
SSL certificate for Domains not in use
Why does my server have a dedicated IPMI port?
Check integrity of .tar.gz backup
Moving nextcloud into an apache VirtualHost block for use as a subdomain?
How can I isolate a single TCP connection on Wireshark?
When I type in a nonexistent command my machine stalls for about 5 seconds before returning to the shell prompt
Remotely diagnosing server 2012 boot problems with no KVM