cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

SSL Certificate : Can we have CN and SAN name field each with different URL names ?

Sarovani
Cirrostratus
Cirrostratus

Hi Mates ,

 

I have one doubt related to SAN certificate , Can you please help me understand .

 

If we configure a certificate with CN : tech.support.ca-consumer.ab-cd.xyz and add only tech.support.ca-consumer.local  in SAN , will the URL for tech.support.ca-consumer.ab-cd.xyz works or we get certificate error ?

 

 

CN : tech.support.ca-consumer.ab-cd.xyz

 SAN : DNS:tech.support.ca-consumer.local 

 

 

0691T000008GxyYQAS.jpg

1 ACCEPTED SOLUTION

When a client connects to a HTTPS url, it gets the certificate in the TLS SERVER_HELLO.

 

It tries to validate that certificate against the hostname it used to connect to the server.

RFC 6125 describes what the client must do to validate the certificate, which is

 

So the certificate as configured will be verified as valid by clients that connect using either of those hostnames.

 

Additionally, the client (in the CLIENT_HELLO) can specify the hostname of the server it is connecting to - Server Name Indication (SNI).

 

The BigIP can use the SNI name in the CLIENT_HELLO to select the correct certificate to present when a single virtual server IP serves multiple HTTPS sites.

The BigIP will compare the SNI name presented by the CLIENT_HELLO with the CN and the SAN hostnames of the client-ssl profiles attached to the virtual server to select the correct certificate to present in the SERVER_HELLO.

 

I hope this is clearer.

View solution in original post

4 REPLIES 4

Simon_Blakely
F5 Employee
F5 Employee

From the OpenSSL Wiki:

 

>

> * Validates the server's identity by looking for the expected hostname in the

> * server's certificate. As described in RFC 6125, it first tries to find a match

> * in the Subject Alternative Name extension. If the extension is not present in

> * the certificate, it checks the Common Name instead.

>

 

For BigIP SNI indication in a client-ssl profile:

 

K16583: The Client SSL profile may use SAN hostnames from an SSL certificate

 

> Beginning in 11.6.0, if the Server Name setting is not defined in the Client SSL profile,

> the BIG-IP system will use multiple hostnames from the Subject Alternative Name (SAN) field,

> and will also continue to use the CN from the server SSL certificate.

> The SAN is embedded in the Server SSL certificate and is used for name-based authentication.

 

 

Sarovani
Cirrostratus
Cirrostratus

Thank you for the information .

 

I think this did not answer my question .

When a client connects to a HTTPS url, it gets the certificate in the TLS SERVER_HELLO.

 

It tries to validate that certificate against the hostname it used to connect to the server.

RFC 6125 describes what the client must do to validate the certificate, which is

 

So the certificate as configured will be verified as valid by clients that connect using either of those hostnames.

 

Additionally, the client (in the CLIENT_HELLO) can specify the hostname of the server it is connecting to - Server Name Indication (SNI).

 

The BigIP can use the SNI name in the CLIENT_HELLO to select the correct certificate to present when a single virtual server IP serves multiple HTTPS sites.

The BigIP will compare the SNI name presented by the CLIENT_HELLO with the CN and the SAN hostnames of the client-ssl profiles attached to the virtual server to select the correct certificate to present in the SERVER_HELLO.

 

I hope this is clearer.

Sarovani
Cirrostratus
Cirrostratus

YEs , this is clear . thank you 👍