Forum Discussion

Blue_whale's avatar
Blue_whale
Icon for Cirrocumulus rankCirrocumulus
Apr 08, 2020

SSL Certificate : Can we have CN and SAN name field each with different URL names ?

Hi Mates ,   I have one doubt related to SAN certificate , Can you please help me understand .   If we configure a certificate with CN : tech.support.ca-consumer.ab-cd.xyz and add only tech.supp...
  • Simon_Blakely's avatar
    Simon_Blakely
    Apr 09, 2020

    When a client connects to a HTTPS url, it gets the certificate in the TLS SERVER_HELLO.

     

    It tries to validate that certificate against the hostname it used to connect to the server.

    RFC 6125 describes what the client must do to validate the certificate, which is

     

    So the certificate as configured will be verified as valid by clients that connect using either of those hostnames.

     

    Additionally, the client (in the CLIENT_HELLO) can specify the hostname of the server it is connecting to - Server Name Indication (SNI).

     

    The BigIP can use the SNI name in the CLIENT_HELLO to select the correct certificate to present when a single virtual server IP serves multiple HTTPS sites.

    The BigIP will compare the SNI name presented by the CLIENT_HELLO with the CN and the SAN hostnames of the client-ssl profiles attached to the virtual server to select the correct certificate to present in the SERVER_HELLO.

     

    I hope this is clearer.