CNAME SSL凭证 [英] CNAME SSL certificates
问题描述
如果我访问www.example.com,其页面上有一个链接到assets.example.com的图片,该图片是assets.example2.com的CNAME。
即使assets.example2.com没有凭证,但是assets.example.com却有,我会获得绿色锁吗?
您的DNS条目是否使用CNAME或A记录无关紧要。重要的是客户端尝试连接的主机名。它必须匹配提供该资源的服务器的证书中的主题备用名称之一(或者,如果不符合,则必须与证书主题DN的CN RDN匹配)。
如果 https://www.example.com 将图片嵌入到 https://assets.example.com (通过HTTPS提供它们,每个都有有效的证书),如果没有混合内容(没有资源通过 http:// 加载,
如果 assets.example.com
assets.example2.com 的CNAME,请求发送到 https://assets.example.com ,此计算机必须向客户机提供 assets.example.com 有效的证书。 此外,如果需要在此IP地址(和同一端口)上同时使用多个证书,则可能需要支持服务器名称指示(SNI)。
或者,具有支持所有这些名称的单个证书,通常通过多个主题备用名称(SAN)条目,或可能通过通配符名称(不推荐)。
这是独立于DNS解析机制(CNAME或A记录)。
If I go to www.example.com which has an image on the page that links to assets.example.com which is a CNAME for assets.example2.com.
Will I get the green lock even if assets.example2.com does not have a certificate, but assets.example.com does?
Whether your DNS entry uses a CNAME or an A record doesn't matter. What matters is the host name the client is trying to connect to. It must match one of the Subject Alternative Names in the certificate of the server providing that resource (or, failing that, it must match the CN RDN of the cert's Subject DN).
If https://www.example.com embeds an image to https://assets.example.com (providing both are served over HTTPS with valid certificates for each) and if there is no mixed content (no resource loaded over http://, that is no JavaScript, no image, no iframe, ...) then you should get the green/blue bar as appropriate.
If assets.example.com is a CNAME to assets.example2.com and the requests are made to https://assets.example.com, this machine must present a certificate valid for assets.example.com to the client.
In addition, if multiple certificates need to be used at the same time on this IP address (and same port), support for Server Name Indication (SNI) may be required.
Alternatively, having a single certificate that supports all these names, typically via multiple Subject Alternative Name (SANs) entries, or possibly via wildcard names (which are not recommended), may be used.
This is independent of the DNS resolution mechanism (CNAME or A record).
这篇关于CNAME SSL凭证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
