SSL Certificate with SubjectAlternativeName (SAN)

If you want to create an SSL certificate for multiple subdomains, you could either use a wildcard certificate like *.example.com or you could use an SSL certificate with SubjectAlternativeName (SAN).

For example, if you create an SSL certificate with SubjectAlternativeName (SAN) like this:

CN: gitlab.example.com
SAN: registry.example.com, mattermost.example.com

In my understanding it was one main name (gitlab.example.com) and two aliases (registry.example.com, mattermost.example.com).

But when I’ve accessed gitlab.example.com with my browser, the certificate (canonical name) was marked as invalid:

Certificate error
There are issues with the site's certificate chain
(net::ERR_CERT_COMMON_NAME_INVALID).

Explanation

As mentioned in the RFC6125 (released in 2011) the certificate validation must check for SAN (SubjectAlternativeName) first. If SAN exists, then the CN (Common Name) will be ignored:

RFC6125:

If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead.

Conclusion

So keep in mind, if you have an SSL certificate which uses SAN (SubjectAlternativeName) you must provide all aliases for your domain as SubjectAlternativeName, because CN (Common Name) will be ignored!

You can check your certificate content with the following openssl command:

$ openssl x509 -in example.com-cert.pem -text -noout

 Subject: CN=git.example.com

 X509v3 Subject Alternative Name:
 DNS:git.example.com, DNS:mattermost.example.com, DNS:registry.example.com

Just check if all of your desired aliases/subdomains are present in the X509v3 Subject Alternative Name section.

Note: You can easily generate your own Let’sEncrypt SSL certificate with SubjectAlternativeName (SAN) via certbot

18 Comments

Gaurav 14.05.2019 at 12:17

Hi Roger, Apart from DNS name SAN extension allows to provide IP address and e-mail addresses. In what scenarios using IP address and e-mail addresses would be useful. I understood the use case of DNS in SAN, but do not have any idea about e-mail and IP address.
Thanks,
halki diabetes remedy 08.01.2020 at 02:51

I think it is very complimentary to navigation and helps out a lot!
stardew valley pc download 31.03.2020 at 17:16

Thanks for the tips, I will create SSL certificate soon also.
geometry dash 14.07.2020 at 09:07

To get a good blog I think you tried a lot. And I think this is a very interesting blog, it attracts me by the content and creative design.
hair removal 23.10.2020 at 17:15

glad i found this!
sacramento acupuncture 30.10.2020 at 14:35

same here! glad i found this!
word finder 06.11.2020 at 09:51

Rich information, that’s really good, I’m looking for it, thanks for sharing.
www.marriagecounselinghoustontx.com 09.11.2020 at 08:32

thi sis great!
www.marriagecounselingdallastx.com 09.11.2020 at 08:32

love this soo much!
www.marriagecounselingcoloradosprings.com 09.11.2020 at 08:33

i wish i could use this for the whole duration
guitar lessons 18.02.2021 at 15:23

Wooooow! This is amazing
kitchen remodeling 18.02.2021 at 16:10

I need more information
xtralinq 10.03.2021 at 01:08

Smooth
https://plastersydney.com.au/ 16.03.2021 at 00:35

Thanks for a great content that you share with us.
https://sanfranciscoeyelashextensions.com 16.03.2021 at 03:39

Love the ideas. Very smart
pergola renovations 26.03.2021 at 02:21

This Blog Is All About The Facts Of Excellent Information Which You Provide. I Thankful To You For Sharing Amazing And Unique Content On Your Web Blog.
Website 26.03.2021 at 11:51

I love this weblog, wonderful content material and I am going to bookmark this website.
https //aka.ms/remoteconnect 31.03.2021 at 13:34

Mind boggling information. Blessed me I went over your site by some happenstance (stumbleupon). I’ve book-checked it for later!