Certificate with multiple CN fields - valid?
Normally, when a certificate is to be valid for more than one domain name, one name is in the CN field, and the others are in the subjectAltName extension. But look at the cert for https://www.ipmirror.com/;. It has CN = admincms.ipmirror.com CN = business.ipmirror.cn CN = business.ipmirror.com CN = business.ipmirror.de CN = business.ipmirror.jp CN = business.ipmirror.kr CN = chat.ipmirror.com CN = customer.ipmirror.cn CN = customer.ipmirror.com CN = customer.ipmirror.de CN = customer.ipmirror.jp CN = customer.ipmirror.kr CN = demo-business.ipmirror.com CN = demo-customer.ipmirror.com CN = imap.ipmirror.com CN = netrunner.ipmirror.com CN = ote-business.ipmirror.com CN = ote-customer.ipmirror.com CN = ote-rapi.ipmirror.com CN = ote-registryconsole.ipmirror.com CN = rapi.ipmirror.com CN = rapiote.ipmirror.com CN = rcube.ipmirror.com CN = register.ipmirror.de CN = registryconsole.ipmirror.com CN = telhosting.ipmirror.com CN = www.ipmirror.com This was issued by CN = PositiveSSL CA O = Comodo CA Limited L = Salford ST = Greater Manchester C = GB Validity dates are (1/6/2010 0:00:00 AM GMT) to (7/10/2010 23:59:59 PM GMT) so it's a currently live cert from a major CA. The cert chain validates properly. Is this considered valid? John Nagle __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Certificate with multiple CN fields - valid?
Valid is whatever browser understands. As X.509 is/was related to LDAP, then having multiple cn's in an entry is a no-no. -- Konrads Smelkovs Applied IT sorcery. On Wed, Jun 2, 2010 at 5:23 AM, John Nagle na...@sitetruth.com wrote: Normally, when a certificate is to be valid for more than one domain name, one name is in the CN field, and the others are in the subjectAltName extension. But look at the cert for https://www.ipmirror.com/;. It has CN = admincms.ipmirror.com CN = business.ipmirror.cn CN = business.ipmirror.com CN = business.ipmirror.de CN = business.ipmirror.jp CN = business.ipmirror.kr CN = chat.ipmirror.com CN = customer.ipmirror.cn CN = customer.ipmirror.com CN = customer.ipmirror.de CN = customer.ipmirror.jp CN = customer.ipmirror.kr CN = demo-business.ipmirror.com CN = demo-customer.ipmirror.com CN = imap.ipmirror.com CN = netrunner.ipmirror.com CN = ote-business.ipmirror.com CN = ote-customer.ipmirror.com CN = ote-rapi.ipmirror.com CN = ote-registryconsole.ipmirror.com CN = rapi.ipmirror.com CN = rapiote.ipmirror.com CN = rcube.ipmirror.com CN = register.ipmirror.de CN = registryconsole.ipmirror.com CN = telhosting.ipmirror.com CN = www.ipmirror.com This was issued by CN = PositiveSSL CA O = Comodo CA Limited L = Salford ST = Greater Manchester C = GB Validity dates are (1/6/2010 0:00:00 AM GMT) to (7/10/2010 23:59:59 PM GMT) so it's a currently live cert from a major CA. The cert chain validates properly. Is this considered valid? John Nagle __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Certificate with multiple CN fields - valid?
In order to be valid for the authentication of multiple DNS names an X.509 certificate has to have them included in the subjAlternativeName entry not in multiple CN entries in the subjectName. The latter represents a single entity with potentially multiple CN entries, not multiple entities each with a single CN. Regards Willy Weisz John Nagle wrote: Normally, when a certificate is to be valid for more than one domain name, one name is in the CN field, and the others are in the subjectAltName extension. But look at the cert for https://www.ipmirror.com/;. It has CN = admincms.ipmirror.com CN = business.ipmirror.cn CN = business.ipmirror.com CN = business.ipmirror.de CN = business.ipmirror.jp CN = business.ipmirror.kr CN = chat.ipmirror.com CN = customer.ipmirror.cn CN = customer.ipmirror.com CN = customer.ipmirror.de CN = customer.ipmirror.jp CN = customer.ipmirror.kr CN = demo-business.ipmirror.com CN = demo-customer.ipmirror.com CN = imap.ipmirror.com CN = netrunner.ipmirror.com CN = ote-business.ipmirror.com CN = ote-customer.ipmirror.com CN = ote-rapi.ipmirror.com CN = ote-registryconsole.ipmirror.com CN = rapi.ipmirror.com CN = rapiote.ipmirror.com CN = rcube.ipmirror.com CN = register.ipmirror.de CN = registryconsole.ipmirror.com CN = telhosting.ipmirror.com CN = www.ipmirror.com This was issued by CN = PositiveSSL CA O = Comodo CA Limited L = Salford ST = Greater Manchester C = GB Validity dates are (1/6/2010 0:00:00 AM GMT) to (7/10/2010 23:59:59 PM GMT) so it's a currently live cert from a major CA. The cert chain validates properly. Is this considered valid? John Nagle __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- --- Willy Weisz European Centre for Parallel Computing at Vienna (VCPC) Computational Science Center University of Vienna Nordbergstrasse 15/C312 A-1090 Wien Tel: (+43 1) 4277 - 39424 Fax: (+43 1) 4277 - 9394 e-mail: willy.we...@univie.ac.at __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Certificate with multiple CN fields - valid?
John Nagle wrote: Normally, when a certificate is to be valid for more than one domain name, one name is in the CN field, and the others are in the subjectAltName extension. But look at the cert for https://www.ipmirror.com/;. This might serve as an interesting example for the people discussing draft-saintandre-tls-server-id-check on the ietf-certid list: https://www.ietf.org/mailman/listinfo/certid Ciao, Michael. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
