Certificates with Subject Alternative Names

Today, I was at a client where I experienced a starnge behaviour.

We added a certificate to a few VMware Horizon Connection servers with a Common name of vdi.customer.com and the FQDN and IP address of the VMware Horizon Connection connection servers:

  • cs-1.customer.com
  • cs-2.customer.com
  • 10.10.10.1
  • 10.10.10.2

When opening a browser towardscs-1.customer.com or cs-2.customer.com the certificate was shown as valid, however, when going to vdi.customer.com the certificate was shown as invalid.

After investigation we saw that it was needed to also add vdi.customer.com into the list of SANs.

According to RFC 2818 section 3.1
If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead.
That means, if you have a SAN section it must contain all names, because the CN will not be checked.
Advertisements

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.