SSL Certificate : Can we have CN and SAN name field each with different URL names ?
Hi Mates ,
I have one doubt related to SAN certificate , Can you please help me understand .
If we configure a certificate with CN : tech.support.ca-consumer.ab-cd.xyz and add only tech.support.ca-consumer.local in SAN , will the URL for tech.support.ca-consumer.ab-cd.xyz works or we get certificate error ?
CN : tech.support.ca-consumer.ab-cd.xyz
SAN : DNS:tech.support.ca-consumer.local
When a client connects to a HTTPS url, it gets the certificate in the TLS SERVER_HELLO.
It tries to validate that certificate against the hostname it used to connect to the server.
RFC 6125 describes what the client must do to validate the certificate, which is
- check the CN for a match (tech.support.ca-consumer.ab-cd.xyz)
- check the SAN names for a match (tech.support.ca-consumer.local)
So the certificate as configured will be verified as valid by clients that connect using either of those hostnames.
Additionally, the client (in the CLIENT_HELLO) can specify the hostname of the server it is connecting to - Server Name Indication (SNI).
The BigIP can use the SNI name in the CLIENT_HELLO to select the correct certificate to present when a single virtual server IP serves multiple HTTPS sites.
The BigIP will compare the SNI name presented by the CLIENT_HELLO with the CN and the SAN hostnames of the client-ssl profiles attached to the virtual server to select the correct certificate to present in the SERVER_HELLO.
I hope this is clearer.