Forum Discussion
Blue_whale
Cirrocumulus
CirrocumulusSSL Certificate : Can we have CN and SAN name field each with different URL names ?
Hi Mates , I have one doubt related to SAN certificate , Can you please help me understand . If we configure a certificate with CN : tech.support.ca-consumer.ab-cd.xyz and add only tech.supp...
When a client connects to a HTTPS url, it gets the certificate in the TLS SERVER_HELLO.
It tries to validate that certificate against the hostname it used to connect to the server.
RFC 6125 describes what the client must do to validate the certificate, which is
- check the CN for a match (tech.support.ca-consumer.ab-cd.xyz)
- check the SAN names for a match (tech.support.ca-consumer.local)
So the certificate as configured will be verified as valid by clients that connect using either of those hostnames.
Additionally, the client (in the CLIENT_HELLO) can specify the hostname of the server it is connecting to - Server Name Indication (SNI).
The BigIP can use the SNI name in the CLIENT_HELLO to select the correct certificate to present when a single virtual server IP serves multiple HTTPS sites.
The BigIP will compare the SNI name presented by the CLIENT_HELLO with the CN and the SAN hostnames of the client-ssl profiles attached to the virtual server to select the correct certificate to present in the SERVER_HELLO.
I hope this is clearer.
Blue_whaleCirrocumulus
CirrocumulusThank you for the information .
I think this did not answer my question .
Simon_Blakely
Employee
EmployeeWhen a client connects to a HTTPS url, it gets the certificate in the TLS SERVER_HELLO.
It tries to validate that certificate against the hostname it used to connect to the server.
RFC 6125 describes what the client must do to validate the certificate, which is
- check the CN for a match (tech.support.ca-consumer.ab-cd.xyz)
- check the SAN names for a match (tech.support.ca-consumer.local)
So the certificate as configured will be verified as valid by clients that connect using either of those hostnames.
Additionally, the client (in the CLIENT_HELLO) can specify the hostname of the server it is connecting to - Server Name Indication (SNI).
The BigIP can use the SNI name in the CLIENT_HELLO to select the correct certificate to present when a single virtual server IP serves multiple HTTPS sites.
The BigIP will compare the SNI name presented by the CLIENT_HELLO with the CN and the SAN hostnames of the client-ssl profiles attached to the virtual server to select the correct certificate to present in the SERVER_HELLO.
I hope this is clearer.