Forum Discussion
SSL Certificate : Can we have CN and SAN name field each with different URL names ?
Hi Mates ,
I have one doubt related to SAN certificate , Can you please help me understand .
If we configure a certificate with CN : tech.support.ca-consumer.ab-cd.xyz and add only tech.support.ca-consumer.local in SAN , will the URL for tech.support.ca-consumer.ab-cd.xyz works or we get certificate error ?
CN : tech.support.ca-consumer.ab-cd.xyz
SAN : DNS:tech.support.ca-consumer.local
When a client connects to a HTTPS url, it gets the certificate in the TLS SERVER_HELLO.
It tries to validate that certificate against the hostname it used to connect to the server.
RFC 6125 describes what the client must do to validate the certificate, which is
- check the CN for a match (tech.support.ca-consumer.ab-cd.xyz)
- check the SAN names for a match (tech.support.ca-consumer.local)
So the certificate as configured will be verified as valid by clients that connect using either of those hostnames.
Additionally, the client (in the CLIENT_HELLO) can specify the hostname of the server it is connecting to - Server Name Indication (SNI).
The BigIP can use the SNI name in the CLIENT_HELLO to select the correct certificate to present when a single virtual server IP serves multiple HTTPS sites.
The BigIP will compare the SNI name presented by the CLIENT_HELLO with the CN and the SAN hostnames of the client-ssl profiles attached to the virtual server to select the correct certificate to present in the SERVER_HELLO.
I hope this is clearer.
- Simon_BlakelyEmployee
From the OpenSSL Wiki:
>
> * Validates the server's identity by looking for the expected hostname in the
> * server's certificate. As described in RFC 6125, it first tries to find a match
> * in the Subject Alternative Name extension. If the extension is not present in
> * the certificate, it checks the Common Name instead.
>
For BigIP SNI indication in a client-ssl profile:
K16583: The Client SSL profile may use SAN hostnames from an SSL certificate
> Beginning in 11.6.0, if the Server Name setting is not defined in the Client SSL profile,
> the BIG-IP system will use multiple hostnames from the Subject Alternative Name (SAN) field,
> and will also continue to use the CN from the server SSL certificate.
> The SAN is embedded in the Server SSL certificate and is used for name-based authentication.
- Blue_whaleCirrocumulus
Thank you for the information .
I think this did not answer my question .
- Simon_BlakelyEmployee
When a client connects to a HTTPS url, it gets the certificate in the TLS SERVER_HELLO.
It tries to validate that certificate against the hostname it used to connect to the server.
RFC 6125 describes what the client must do to validate the certificate, which is
- check the CN for a match (tech.support.ca-consumer.ab-cd.xyz)
- check the SAN names for a match (tech.support.ca-consumer.local)
So the certificate as configured will be verified as valid by clients that connect using either of those hostnames.
Additionally, the client (in the CLIENT_HELLO) can specify the hostname of the server it is connecting to - Server Name Indication (SNI).
The BigIP can use the SNI name in the CLIENT_HELLO to select the correct certificate to present when a single virtual server IP serves multiple HTTPS sites.
The BigIP will compare the SNI name presented by the CLIENT_HELLO with the CN and the SAN hostnames of the client-ssl profiles attached to the virtual server to select the correct certificate to present in the SERVER_HELLO.
I hope this is clearer.
- Blue_whaleCirrocumulus
YEs , this is clear . thank you 👍
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com