Does Apache only examine CN=, or does it also check subjectAltNames dNS entries? -Kyle H On Sun, Dec 23, 2018 at 3:25 AM Walter H. <Walter.H@xxxxxxxxxxxxxxxxx> wrote: > > On 23.12.2018 03:47, Salz, Rich via openssl-users wrote: > > > >. New certificates should only use the subjectAltName extension. > > > >> Are any CAs actually doing that? I thought they all still included subject.CN. > > > > Yes, I think commercial CA's still do it. But that doesn't make my statement wrong :) > > > Apache raises a warning at the following condition > > e.g. a virtual Host defines this: > > ServerName www.example.com:443 > > and the SSL certificate has a CN which does not correspond to > CN=www.example.com, e.g. CN=example.com > > then the warning looks like this > > [Fri Dec 07 07:08:19.393876 2018] [ssl:warn] [pid 29746] AH01909: > www.example.com:443:0 server certificate does NOT include an ID which > matches the server name > > and fills up the logs > > Walter > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
