使用SAN证书时，公用名称无效 [英] Invalid Common Name when using a SAN certificate

问题描述

我为内部服务器生成了一个也可从外部访问的证书。根据 this SO回答CN和SAN字段互相补充，因此我将CN设置为server.domain。本地和在SAN我有DNS：server.domain.tld

I have generated a certificate for an internal server that is also accessible externally. According to this SO answer the CN and the SAN fields compliment each other and so accordingly I set the CN to server.domain.local and in the SAN I have DNS:server.domain.tld

但是，至少使用Chrome，我可以浏览到server.domain.tld（SAN条目）错误，但我得到一个常见的名称不匹配错误在server.domain.local（CN）

However, with Chrome at least, I can browse to server.domain.tld (SAN entry) without error but I get a common name mismatch error at server.domain.local (CN)

这是一个实现错误在NSS在Chrome或我做错了吗？我应该在SAN字段中同时拥有server.domain.local和server.domain.tld吗？

Is this an implementation error in NSS on Chrome or have I done something wrong? Should I have both server.domain.local and server.domain.tld in the SAN field?

推荐答案

..CN和SAN字段互相补充。

.. the CN and the SAN fields compliment each other ..

这只适用于一般的PKI情况，协议具有不同的行为。用于在HTTPS中检查证书的相关RFC是 RFC2818 （或更高版本的RFC6125），状态：

That is only true in the general PKI case, but specific protocols have different behavior. The relevant RFC for checking the certificate in HTTPS is RFC2818 (or later RFC6125) which states:

If a subjectAltName extension of type dNSName is present, that MUST
be used as the identity. Otherwise, the (most specific) Common Name
field in the Subject field of the certificate MUST be used. Although
the use of the Common Name is existing practice, it is deprecated and
Certification Authorities are encouraged to use the dNSName instead.

这意味着，如果你有一个SAN部分，它必须包含所有的名称，因为CN不会已检查。

That means, if you have a SAN section it must contain all names, because the CN will not be checked.

这篇关于使用SAN证书时，公用名称无效的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！