Forum Discussion

Blue_whale's avatar
Blue_whale
Icon for Cirrocumulus rankCirrocumulus
Apr 08, 2020

SSL Certificate : Can we have CN and SAN name field each with different URL names ?

Hi Mates ,

 

I have one doubt related to SAN certificate , Can you please help me understand .

 

If we configure a certificate with CN : tech.support.ca-consumer.ab-cd.xyz and add only tech.support.ca-consumer.local  in SAN , will the URL for tech.support.ca-consumer.ab-cd.xyz works or we get certificate error ?

 

 

CN : tech.support.ca-consumer.ab-cd.xyz

 SAN : DNS:tech.support.ca-consumer.local 

 

 

  • When a client connects to a HTTPS url, it gets the certificate in the TLS SERVER_HELLO.

     

    It tries to validate that certificate against the hostname it used to connect to the server.

    RFC 6125 describes what the client must do to validate the certificate, which is

     

    So the certificate as configured will be verified as valid by clients that connect using either of those hostnames.

     

    Additionally, the client (in the CLIENT_HELLO) can specify the hostname of the server it is connecting to - Server Name Indication (SNI).

     

    The BigIP can use the SNI name in the CLIENT_HELLO to select the correct certificate to present when a single virtual server IP serves multiple HTTPS sites.

    The BigIP will compare the SNI name presented by the CLIENT_HELLO with the CN and the SAN hostnames of the client-ssl profiles attached to the virtual server to select the correct certificate to present in the SERVER_HELLO.

     

    I hope this is clearer.

  • Thank you for the information .

     

    I think this did not answer my question .

    • Simon_Blakely's avatar
      Simon_Blakely
      Icon for Employee rankEmployee

      When a client connects to a HTTPS url, it gets the certificate in the TLS SERVER_HELLO.

       

      It tries to validate that certificate against the hostname it used to connect to the server.

      RFC 6125 describes what the client must do to validate the certificate, which is

       

      So the certificate as configured will be verified as valid by clients that connect using either of those hostnames.

       

      Additionally, the client (in the CLIENT_HELLO) can specify the hostname of the server it is connecting to - Server Name Indication (SNI).

       

      The BigIP can use the SNI name in the CLIENT_HELLO to select the correct certificate to present when a single virtual server IP serves multiple HTTPS sites.

      The BigIP will compare the SNI name presented by the CLIENT_HELLO with the CN and the SAN hostnames of the client-ssl profiles attached to the virtual server to select the correct certificate to present in the SERVER_HELLO.

       

      I hope this is clearer.

  • From the OpenSSL Wiki:

     

    >

    > * Validates the server's identity by looking for the expected hostname in the

    > * server's certificate. As described in RFC 6125, it first tries to find a match

    > * in the Subject Alternative Name extension. If the extension is not present in

    > * the certificate, it checks the Common Name instead.

    >

     

    For BigIP SNI indication in a client-ssl profile:

     

    K16583: The Client SSL profile may use SAN hostnames from an SSL certificate

     

    > Beginning in 11.6.0, if the Server Name setting is not defined in the Client SSL profile,

    > the BIG-IP system will use multiple hostnames from the Subject Alternative Name (SAN) field,

    > and will also continue to use the CN from the server SSL certificate.

    > The SAN is embedded in the Server SSL certificate and is used for name-based authentication.