Certificates with Subject Alternative Names

Today, I was at a client where I experienced a starnge behaviour.

We added a certificate to a few VMware Horizon Connection servers with a Common Name of vdi.customer.com and the FQDNs and IP addresses of the VMware Horizon Connection servers:

  • cs-1.customer.com
  • cs-2.customer.com

When opening a browser towards cs-1.customer.com or cs-2.customer.com the certificate was shown as valid, however, when going to vdi.customer.com the certificate was shown as invalid.

After investigation we saw that it was needed to also add vdi.customer.com into the list of SANs.

According to RFC 2818 section 3.1
If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead.
That means, if you have a SAN section it must contain all names, because the Common Name will not be checked.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.