Reputation: 13309
Handling the Host names, Subject Alternative names in certificate
How exactly should Host names be compared in an x509 certificate?
eg: if the certificate is registered for *.abcorp.com, then can a site like www.sales.abcorp.com be valid for this certificate? or only sites like sales.abcorp.com be valid in such a case?
This question is to clear a doubt in my mind on my implementation of hostname check for ssl certificate.
Google Chrome goes with the later. i.e if a certificate has CN field as *.abcorp.com, then only sites like sales.abcorp.com will be valid under that certificate and sites like www.sales.abcorp.com will throw an error saying servers certificate doesnot match the URL.
Upvotes: 1
Views: 202
Answers (1)
Reputation: 9395
Such certificates are known as Wildcard certificate. After reading about wildcard certificate at wiki, it is found that only single level of sub-domain matching is supported.
Since supporting www over domain may accidentally support multiple levels of domain. Therefore, cases such as www.sales.abcorp.com does not match.
Upvotes: 1
Related Questions
- OpenSSL Certificate (Version 3) with Subject Alternative Name
- Subject Alternative Name not present in certificate
- How to add subject alternative name to ssl certs?
- Subject Alternative Names for Localhost
- Specify Subject Alternative Name when generating a self signed certificate
- conversion of subject name into x509_name format
- OpenSSL Wildcard Certificate and hostname Certificate
- SSL Certificate: How to deal with Common Name and Subject Alternative Name?
- x509 certificate subject alternative name
- Adding a DN subject alternative name extension in an X509 certificate using openssl