Forum Discussion
Blue_whale
Cirrocumulus
CirrocumulusSSL Certificate : Can we have CN and SAN name field each with different URL names ?
Hi Mates ,
I have one doubt related to SAN certificate , Can you please help me understand .
If we configure a certificate with CN : tech.support.ca-consumer.ab-cd.xyz and add only tech.support.ca-consumer.local in SAN , will the URL for tech.support.ca-consumer.ab-cd.xyz works or we get certificate error ?
CN : tech.support.ca-consumer.ab-cd.xyz
SAN : DNS:tech.support.ca-consumer.local
When a client connects to a HTTPS url, it gets the certificate in the TLS SERVER_HELLO.
It tries to validate that certificate against the hostname it used to connect to the server.
RFC 6125 describes what the client must do to validate the certificate, which is
- check the CN for a match (tech.support.ca-consumer.ab-cd.xyz)
- check the SAN names for a match (tech.support.ca-consumer.local)
So the certificate as configured will be verified as valid by clients that connect using either of those hostnames.
Additionally, the client (in the CLIENT_HELLO) can specify the hostname of the server it is connecting to - Server Name Indication (SNI).
The BigIP can use the SNI name in the CLIENT_HELLO to select the correct certificate to present when a single virtual server IP serves multiple HTTPS sites.
The BigIP will compare the SNI name presented by the CLIENT_HELLO with the CN and the SAN hostnames of the client-ssl profiles attached to the virtual server to select the correct certificate to present in the SERVER_HELLO.
I hope this is clearer.
Blue_whaleYEs , this is clear . thank you 👍
- Blue_whale
Thank you for the information .
I think this did not answer my question .
Simon_BlakelyEmployee
When a client connects to a HTTPS url, it gets the certificate in the TLS SERVER_HELLO.
It tries to validate that certificate against the hostname it used to connect to the server.
RFC 6125 describes what the client must do to validate the certificate, which is
- check the CN for a match (tech.support.ca-consumer.ab-cd.xyz)
- check the SAN names for a match (tech.support.ca-consumer.local)
So the certificate as configured will be verified as valid by clients that connect using either of those hostnames.
Additionally, the client (in the CLIENT_HELLO) can specify the hostname of the server it is connecting to - Server Name Indication (SNI).
The BigIP can use the SNI name in the CLIENT_HELLO to select the correct certificate to present when a single virtual server IP serves multiple HTTPS sites.
The BigIP will compare the SNI name presented by the CLIENT_HELLO with the CN and the SAN hostnames of the client-ssl profiles attached to the virtual server to select the correct certificate to present in the SERVER_HELLO.
I hope this is clearer.
- Simon_Blakely
From the OpenSSL Wiki:
>
> * Validates the server's identity by looking for the expected hostname in the
> * server's certificate. As described in RFC 6125, it first tries to find a match
> * in the Subject Alternative Name extension. If the extension is not present in
> * the certificate, it checks the Common Name instead.
>
For BigIP SNI indication in a client-ssl profile:
K16583: The Client SSL profile may use SAN hostnames from an SSL certificate
> Beginning in 11.6.0, if the Server Name setting is not defined in the Client SSL profile,
> the BIG-IP system will use multiple hostnames from the Subject Alternative Name (SAN) field,
> and will also continue to use the CN from the server SSL certificate.
> The SAN is embedded in the Server SSL certificate and is used for name-based authentication.