FAQ/subjectAltName (SAN)

What is subjectAltName ?

subjectAltName specifies additional subject identities, but for host names (and everything else defined for subjectAltName) :

subjectAltName must always be used (RFC 3280 4.2.1.7, 1. paragraph). CN is only evaluated if subjectAltName is not present and only for compatibility with old, non-compliant software. So if you set subjectAltName, you have to use it for all host names, email addresses, etc., not just the "additional" ones.

subjectAltName and CAcert CSR parser

The CSR parser strips any commonNames and subjectAltNames if the system can't match the domain in the system to your account, you can view domains listed on your account by going to the domains section of the website after you log in, and then clicking on View. (For this link to work, you have to log in with your username and password, not with a client certificate.)

According to the standards commonName will be ignored if you supply a subjectAltName in the certificates, verified to be working in both the latest version of MS IE and Firefox (as of 2005/05/12)...

Add multiple SANs into your CSR with OpenSSL

Create the OpenSSL Private Key and CSR with OpenSSL

Check multiple SANs in your CSR with OpenSSL

Copy content of CSR file to New Server Cert Form ...

Verify the Signed (Public) Keyfile with OpenSSL

Further Readings


FAQ/subjectAltName (last edited 2017-10-30 16:02:40 by AlesKastner)