Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

SSL Certificate : Can we have CN and SAN name field each with different URL names ?

Go to solution
Sarovani
Cirrocumulus
Cirrocumulus

‎08-Apr-2020 09:07

Hi Mates ,

 

I have one doubt related to SAN certificate , Can you please help me understand .

 

If we configure a certificate with CN : tech.support.ca-consumer.ab-cd.xyz and add only tech.support.ca-consumer.local  in SAN , will the URL for tech.support.ca-consumer.ab-cd.xyz works or we get certificate error ?

 

 

CN : tech.support.ca-consumer.ab-cd.xyz

 SAN : DNS:tech.support.ca-consumer.local 

 

 

0691T000008GxyYQAS.jpg

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Simon_Blakely
F5 Employee
F5 Employee
In response to Sarovani

‎09-Apr-2020 14:57

When a client connects to a HTTPS url, it gets the certificate in the TLS SERVER_HELLO.

 

It tries to validate that certificate against the hostname it used to connect to the server.

RFC 6125 describes what the client must do to validate the certificate, which is

 

So the certificate as configured will be verified as valid by clients that connect using either of those hostnames.

 

Additionally, the client (in the CLIENT_HELLO) can specify the hostname of the server it is connecting to - Server Name Indication (SNI).

 

The BigIP can use the SNI name in the CLIENT_HELLO to select the correct certificate to present when a single virtual server IP serves multiple HTTPS sites.

The BigIP will compare the SNI name presented by the CLIENT_HELLO with the CN and the SAN hostnames of the client-ssl profiles attached to the virtual server to select the correct certificate to present in the SERVER_HELLO.

 

I hope this is clearer.

View solution in original post

0 Kudos
4 REPLIES 4

Go to solution
Simon_Blakely
F5 Employee
F5 Employee

‎08-Apr-2020 14:31

From the OpenSSL Wiki:

 

>

> * Validates the server's identity by looking for the expected hostname in the

> * server's certificate. As described in RFC 6125, it first tries to find a match

> * in the Subject Alternative Name extension. If the extension is not present in

> * the certificate, it checks the Common Name instead.

>

 

For BigIP SNI indication in a client-ssl profile:

 

K16583: The Client SSL profile may use SAN hostnames from an SSL certificate

 

> Beginning in 11.6.0, if the Server Name setting is not defined in the Client SSL profile,

> the BIG-IP system will use multiple hostnames from the Subject Alternative Name (SAN) field,

> and will also continue to use the CN from the server SSL certificate.

> The SAN is embedded in the Server SSL certificate and is used for name-based authentication.

 

 

0 Kudos

Go to solution
Sarovani
Cirrocumulus
Cirrocumulus

‎09-Apr-2020 13:02

Thank you for the information .

 

I think this did not answer my question .

0 Kudos

Go to solution
Simon_Blakely
F5 Employee
F5 Employee
In response to Sarovani

‎09-Apr-2020 14:57

When a client connects to a HTTPS url, it gets the certificate in the TLS SERVER_HELLO.

 

It tries to validate that certificate against the hostname it used to connect to the server.

RFC 6125 describes what the client must do to validate the certificate, which is

 

So the certificate as configured will be verified as valid by clients that connect using either of those hostnames.

 

Additionally, the client (in the CLIENT_HELLO) can specify the hostname of the server it is connecting to - Server Name Indication (SNI).

 

The BigIP can use the SNI name in the CLIENT_HELLO to select the correct certificate to present when a single virtual server IP serves multiple HTTPS sites.

The BigIP will compare the SNI name presented by the CLIENT_HELLO with the CN and the SAN hostnames of the client-ssl profiles attached to the virtual server to select the correct certificate to present in the SERVER_HELLO.

 

I hope this is clearer.

0 Kudos

Go to solution
Sarovani
Cirrocumulus
Cirrocumulus

‎10-Apr-2020 07:11

YEs , this is clear . thank you 👍

0 Kudos
Copyright © 2023 Khoros, LLC