Forum Discussion
SSL Certificate : Can we have CN and SAN name field each with different URL names ?
- Apr 09, 2020
When a client connects to a HTTPS url, it gets the certificate in the TLS SERVER_HELLO.
It tries to validate that certificate against the hostname it used to connect to the server.
RFC 6125 describes what the client must do to validate the certificate, which is
- check the CN for a match (tech.support.ca-consumer.ab-cd.xyz)
- check the SAN names for a match (tech.support.ca-consumer.local)
So the certificate as configured will be verified as valid by clients that connect using either of those hostnames.
Additionally, the client (in the CLIENT_HELLO) can specify the hostname of the server it is connecting to - Server Name Indication (SNI).
The BigIP can use the SNI name in the CLIENT_HELLO to select the correct certificate to present when a single virtual server IP serves multiple HTTPS sites.
The BigIP will compare the SNI name presented by the CLIENT_HELLO with the CN and the SAN hostnames of the client-ssl profiles attached to the virtual server to select the correct certificate to present in the SERVER_HELLO.
I hope this is clearer.
Thank you for the information .
I think this did not answer my question .
- Simon_BlakelyApr 09, 2020Employee
When a client connects to a HTTPS url, it gets the certificate in the TLS SERVER_HELLO.
It tries to validate that certificate against the hostname it used to connect to the server.
RFC 6125 describes what the client must do to validate the certificate, which is
- check the CN for a match (tech.support.ca-consumer.ab-cd.xyz)
- check the SAN names for a match (tech.support.ca-consumer.local)
So the certificate as configured will be verified as valid by clients that connect using either of those hostnames.
Additionally, the client (in the CLIENT_HELLO) can specify the hostname of the server it is connecting to - Server Name Indication (SNI).
The BigIP can use the SNI name in the CLIENT_HELLO to select the correct certificate to present when a single virtual server IP serves multiple HTTPS sites.
The BigIP will compare the SNI name presented by the CLIENT_HELLO with the CN and the SAN hostnames of the client-ssl profiles attached to the virtual server to select the correct certificate to present in the SERVER_HELLO.
I hope this is clearer.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com