AnsweredAssumed Answered

Two common names results in mismatch?

Question asked by j457 on May 26, 2012
Latest reply on Feb 10, 2016 by tlussnig

I generated a certificate like this:




        Version: 1 (0x0)

        Serial Number: ...

    Signature Algorithm: ecdsa-with-SHA256

        Issuer: C=..., ST=..., L=..., O=..., CN=www.<domain>.com, CN=<domain>.com


            Not Before: ...

            Not After : ...

        Subject: C=US, ST=..., L=..., O=..., CN=www.<domain>.com, CN=<domain>.com

        Subject Public Key Info:

            Public Key Algorithm: id-ecPublicKey

                Public-Key: (384 bit)



                ASN1 OID: secp384r1

    Signature Algorithm: ecdsa-with-SHA256



The important part being the two CNs.  When I run sslcheck against (the canonical form), it says there's a mismatch.


However, Chrome doesn't complain about the mismatch.  It only warns that the cert is self-signed and untrusted.


If I generate a different cert using and literally, and set the webserver to use that one, I get both warnings: untrusted (because self-signed) and not matching the url.


I realize that CAs tend to use subjectAltName to do this, but is there any reason why multiple CNs for multiple hostnames shouldn't work, or why the qualys SSL checker considers it a mismatch?


I even generated and used a new cert with the order of the two CNs reversed.  Chrome still doesn't mention a mismatch*, while qualys still considers it a mismatch.


*Something weird happens with chromium on linux, where it does say there's a mismatch, but perhaps that's because I haven't restarted chromium there.  On windows, and after restarting chrome just to be sure, it considers the domain to match regardless of CN order.