CNAME SSL 证书 [英] CNAME SSL certificates
问题描述
如果我访问 www.example.com,它的页面上有一张图片链接到 assets.example.com,这是 assets.example2.com 的 CNAME.
If I go to www.example.com which has an image on the page that links to assets.example.com which is a CNAME for assets.example2.com.
即使 assets.example2.com 没有证书,但 assets.example.com 有,我会得到绿锁吗?
Will I get the green lock even if assets.example2.com does not have a certificate, but assets.example.com does?
推荐答案
您的 DNS 条目是使用 CNAME 还是 A 记录并不重要.重要的是客户端尝试连接的主机名.它必须与提供该资源的服务器证书中的主题备用名称之一匹配(或者,如果失败,它必须与证书的主题 DN 的 CN RDN 匹配).
Whether your DNS entry uses a CNAME or an A record doesn't matter. What matters is the host name the client is trying to connect to. It must match one of the Subject Alternative Names in the certificate of the server providing that resource (or, failing that, it must match the CN RDN of the cert's Subject DN).
如果 https://www.example.com 将图像嵌入到 https://assets.example.com(前提是两者都通过具有有效证书的 HTTPS 提供)对于每个),如果没有混合内容(没有通过 http:// 加载的资源,即没有 JavaScript,没有图像,没有 iframe,...)那么你应该得到绿色/蓝色适当的酒吧.
If https://www.example.com embeds an image to https://assets.example.com (providing both are served over HTTPS with valid certificates for each) and if there is no mixed content (no resource loaded over http://, that is no JavaScript, no image, no iframe, ...) then you should get the green/blue bar as appropriate.
如果 assets.example.com 是 assets.example2.com 的 CNAME 并且请求被发送到 https://assets.example.com,这台机器必须向客户端出示一个对assets.example.com有效的证书.
If assets.example.com is a CNAME to assets.example2.com and the requests are made to https://assets.example.com, this machine must present a certificate valid for assets.example.com to the client.
另外,如果需要在这个IP地址(和同一个端口)上同时使用多个证书,可能需要支持Server Name Indication(SNI).
In addition, if multiple certificates need to be used at the same time on this IP address (and same port), support for Server Name Indication (SNI) may be required.
或者,拥有一个支持所有这些名称的证书,通常通过多个主题备用名称 (SAN) 条目,或者可能通过通配符名称(不推荐),可以使用.
Alternatively, having a single certificate that supports all these names, typically via multiple Subject Alternative Name (SANs) entries, or possibly via wildcard names (which are not recommended), may be used.
这与 DNS 解析机制(CNAME 或 A 记录)无关.
This is independent of the DNS resolution mechanism (CNAME or A record).
这篇关于CNAME SSL 证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
