SSL - Common Name not recognized
We have recently started creating certificates with subjectAltName in addition to using the CN for server identification and i noticed a problem with CN recognition in the browsers
in our case
- CN => www.example.com
- SAN => www.machinename.com
if i try to access the site using the CN the browser complains that the certificate has errors.
Using SAN works fine.
I checked further on this and RFC 6125, section 6.4.4 states -
As noted, a client MUST NOT seek a match for a reference identifier of CN-ID if the presented identifiers include a DNS-ID, SRV-ID, URI-ID, or any application-specific identifier types supported by the client. Therefore, if and only if the presented identifiers do not include a DNS-ID, SRV-ID, URI-ID, or any application-specific identifier types supported by the client, then the client MAY as a last resort check for a string whose form matches that of a fully qualified DNS domain name in a Common Name field of the subject field (i.e., a CN-ID).
Based on this, i concluded that CN and SAN are -
- not complimentary and therefore
- CN should always be a subset of the list provided in SAN
Is this correct?
Edit: I understand that this is browser specific, i am looking for guidance on the modern browsers (IE11, Edge, Chrome, Firefox, etc..)
Solution 1:
"Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead." RFC 2818
And even the RFC 6125 contains the following.
"Move away from including and checking strings that look like domain names in the subject's Common Name." RFC 6125, chap. 1.5
Using CN for DNS names is depricated and isn't recognised by modern browsers like Chrome since version 57.
You should move all DNS names to the subjectAltName section of the certificate.