Thursday, July 30, 2015

Using Subject Alternative Names in certificates

if your site can be served via more than 1 hostname, you might have to set a "Subject Alternative Name" (SAN) with a comma separated list of all your valid hostnames.

The MAD thing is that is you use a SAN, your MAIN Common Name (certificate SUbject) will be ignored. So in your SAN list you should specify also the hostname that used to go in the Main subject.

Unless you do that, you will get a "Server's certificate does not match URL" in Chrome, or a "Mismatched Address" in IE. IE really stinks because its error message gives absolutely no extra info, while Chrome gives some extra context information. Shame on Microsoft.

Chrome full message says "This server could not prove that it is bla.acme.net; its security certificate is from pippo.acme.net . This may be caused by a misconfiguration or an attacker intercepting your connection"

The RFC which could bring some order in this chaos is here https://tools.ietf.org/html/rfc6125 and search for subjectAlternativeName .



No comments: