公用名(CN)和主题备用名(SAN)如何一起工作? [英] How do Common Names (CN) and Subject Alternative Names (SAN) work together?

问题描述

假设SSL证书的使用者备用名称(SAN)属性包含两个DNS名称

Assuming the Subject Alternative Name (SAN) property of an SSL certificate contains two DNS names

1. domain.tld
2. host.domain.tld

1. domain.tld
2. host.domain.tld

，但通用名称(CN)"仅设置为以下两者之一:CN=domain.tld.

but the Common Name (CN) is set to only one of both: CN=domain.tld.

• 此设置是否有特殊含义，或在设置两个CN方面有什么[缺点]?
• 如果请求另一个host.domain.tld在服务器端会发生什么情况?

• Does this setup have a special meaning, or any [dis]advantages over setting both CNs?
• What happens on server-side if the other one, host.domain.tld, is being requested?

具体来说， OpenSSL 0.9.8b + 如何处理给定方案?

Specifically, how does OpenSSL 0.9.8b+ handle the given scenario?

推荐答案

这取决于实现，但是一般规则是针对所有SAN和通用名称检查域.如果在该域中找到该域，则表明该证书可以连接.

This depends on implementation, but the general rule is that the domain is checked against all SANs and the common name. If the domain is found there, then the certificate is ok for connection.

RFC 5280 ，第4.1.2.6节说主题名称可以在主题字段和/或subjectAltName扩展名"中携带.这意味着必须同时对域名和证书的SubjectAltName扩展名和Subject属性(即通用名称参数)进行检查.这两个地方是相辅相成的，不能重复.而且SubjectAltName是放置其他名称的适当位置，例如 www .domain.com或 www2 .domain.com

RFC 5280, section 4.1.2.6 says "The subject name MAY be carried in the subject field and/or the subjectAltName extension". This means that the domain name must be checked against both SubjectAltName extension and Subject property (namely it's common name parameter) of the certificate. These two places complement each other, and not duplicate it. And SubjectAltName is a proper place to put additional names, such as www.domain.com or www2.domain.com

更新:根据2011年发布的 RFC 6125 ，验证者必须首先检查SAN，如果SAN存在，则不应检查CN.注意，RFC 6125是相对较新的，并且仍然存在证书和颁发证书的CA，其中包括主要"证书. CN中的域名和SAN中的备用域名. IE.如果存在SAN，则通过将CN从验证中排除，您可以拒绝其他有效的证书.

Update: as per RFC 6125, published in 2011, the validator must check SAN first, and if SAN exists, then CN should not be checked. Note that RFC 6125 is relatively recent and there still exist certificates and CAs that issue certificates, which include the "main" domain name in CN and alternative domain names in SAN. I.e. by excluding CN from validation if SAN is present, you can deny some otherwise valid certificate.

这篇关于公用名(CN)和主题备用名(SAN)如何一起工作?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！