• Additional Resources
  • SSL Certificates and Subject Alternative Names
Version:
  • 4.8
  • 4.7
  • 4.6
  • 4.5
  • 4.4
  • 4.3
  • 4.2
  • 4.1
  • 4.0
  • 3.0
  • 5.2
  • 5.1
  • 5.0
  • 6.6
  • 1.3.1
  • 1.3
  • 1.2
  • 1.1
  • 1.0
  • 8.2
  • 1.3
  • 1.2
  • 3.7.6
  • 3.7.5
  • 3.7.4
  • 3.7.3
  • 3.7.2
  • 3.7
  • 3.6
  • 3.5
  • 3.4
  • 3.3
  • 3.2
  • 3.1
  • 3.0
  • 1.6
  • 3.9
  • 3.8
  • 3.7
  • 3.6
  • 3.5
  • 3.4
  • 3.3
  • 3.2
  • 3.1
  • 3.0
  • 2.6
  • 2.7
  • 2.6
  • 2.5.1
  • 2.0
  • 1.0
  • 5.9.2
  • 5.9.1
  • 5.9
  • 5.8.2
  • 5.8.1
  • 5.8
  • 5.7
  • 5.6
  • 5.5
  • 5.4
  • 5.3.2
  • 5.3.1
  • 5.3
  • 5.2
  • 5.1
  • 5.0
  • 3.10
  • 3.9
  • 3.8
  • 3.7
  • 3.6.1
  • 3.6
  • 3.5
  • 3.4
  • 3.3
  • 3.2
  • 3.1
  • 3.0
  • 2.9
  • 2.8
  • 2.7
  • 1.0
  • 1.3
  • 2.4
  • 2.3
  • 2.5.2
  • 2.5.1
  • 2.5
  • 2.4
  • 2.3
  • 2.2
  • 2.1
  • 2.5.2
  • 2.5.1
  • 2.5
  • 2.4
  • 2.3
  • 2.2
  • 2.1
  • 1.2
  • 1.1.2
  • 1.1.1
  • 1.1
  • 1.0
  • 1.5
  • 1.4
  • 1.3.2
  • 1.3.1
  • 1.3
  • 1.2
  • 1.1
  • 1.0
  • 1.6
  • 1.5
  • 1.4.2
  • 1.4.1
  • 1.4
  • 1.3
  • 1.2
  • 1.1
  • 1.0
  • 1.0
  • 1.0.3
  • 1.0
  • 1.3
  • 1.2
  • 1.2
  • 1.1
  • 6.6
  • 2.2

Change filter to include:

    Additional Resources

    Page Tree

    Products

    Type
    Family
    • Encoder & Transcoder
      • Makito X4 Video Encoder
      • Kraken Video Transcoder
      • Makito X1 Rugged Video Encoder
      • Makito X Video Encoder
      • Makito FX Video Encoder
      • Haivision Rack Video Encoder
      • Haivision EMS Device Manager
      • Makito MB6/MB21 Chassis
    • Video Transmitter
      • Haivision Pro
      • Haivision Air
      • Haivision Rack Video Encoder
      • Haivision MoJoPro Mobile App
      • Haivision Quad Antenna
    • Video Wall Technology
      • Haivision Command 360
    • IPTV
      • Haivision Media Platform
      • Haivision Play Set-Top Boxes
      • Haivision Play Pro Mobile Player App
    • Cloud & IP Gateway
      • Haivision Hub
      • Haivision StreamHub
      • Haivision SRT Gateway
    • Decoder & Receiver
      • Haivision StreamHub
      • Makito X4 Decoder
      • Makito X Decoder
      • Haivision EMS Device Manager
      • Makito MB6/MB21 Chassis
    • Open source video streaming
      • SRT Protocol
    • Legacy
      • Connect DVR
      • CoolSign
      • Furnace
      • hai1000 Series
      • HVC
      • KB
      • LightFlow
      • Makito Classic Decoder
      • Makito Classic Encoder
      • Torpedo
    • Air
      • Air 200, 220, 220-5G, 320e-5G
      • BeOnAir
    • Command 360
    • EMS
    • Haivision Hub
    • Kraken
    • Manager
    • Makito
      • FX Encoder
      • MB6/MB21 Chassis
      • X Decoder
      • X Encoder
      • X1 Rugged Encoder
      • X4 Decoder
      • X4 Encoder
    • Media Platform
      • Helper
      • HMP
      • Media Gateway
      • Play Pro Mobile
      • Play Set-Top Boxes
    • MoJoPro
      • MoJoPro
      • BeOnAir
    • Pro
      • Pro 3 (340, 360-5G, 380)
      • Pro 4 (460)
    • Quad Antenna
    • Rack
      • Rack 200/300
      • Rack 400
    • SRT
      • SRT Deployment Guide
      • SRT Gateway
    • StreamHub
    • Legacy
      • Connect DVR
      • CoolSign
      • Furnace
      • hai1000 Series
      • HVC
      • KB
      • LightFlow
      • Makito Classic Decoder
      • Makito Classic Encoder
      • Play Mobile
      • Torpedo

    User Preferences

    Haivision Support

    SSL Certificates and Subject Alternative Names

    Last updated on Jan 28, 2021

    Popular browsers such as Chrome and Firefox have changed the way they verify SSL certificates, causing error messages to be displayed when users attempt to visit certain web servers. This document describes how such error messages can be safely avoided.

    Background

    When the X.509 standard was first published (1998), the practice was to use the Common Name field in the Subject portion of a certificate to identify the Distinguished Name of the server for which it was being issued. This led to a situation where, for each variant of a domain (www.mysite.com, www2.mysite.com, mysite.com, etc.), a new certificate had to be issued.

    As X.509 evolved, the concept of a Subject Alternative Name (SAN) extension was implemented, wherein multiple elements (including email addresses, DNS names, IP addresses, and URIs) could be asserted in the Subject of a single certificate request. But since a DNS name could now appear in both the Common Name and SAN fields, which took priority?

    IETF RFC 2818 (2000) describes two ways to match a domain name against a certificate:

    1. Compare the domain name against entries in the Subject Alternative Name extension.
    2. In the absence of a SAN extension, fall back to the Common Name.

    But RFC 2818 also specifically states: "If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead."

    Tip

    Need an introduction or quick refresher? Here's a short video that provides a good overview of TLS/SSL and certificates:

    RFC 6125 (2011) further affirms the precedence of the SAN:

    "For TLS authentication with X.509 certificates, an identity from the DNS namespace MUST be checked against each subjectAltName extension of type dNSName present in the certificate. If no such extension is present, then the identity MUST be compared to the (most specific) Common Name in the Subject field of the certificate."

    The use of the Common Name field, however, was tied to an enormous number of existing certificates, and the practice remained widely popular. Even though fallback was deprecated, all web browsers continued to accept Common Names in place of missing or incomplete SAN entries.

    In April 2017, Google decided to remove support for Common Name matching in certificates as part of a more general move to enhance browser security. The Google Developers' site states:

    "The use of the subjectAlternativeName fields leaves it unambiguous whether a certificate is expressing a binding to an IP address or a domain name, and is fully defined in terms of its interaction with Name Constraints. However, the commonName is ambiguous, and because of this, support for it has been a source of security bugs in Chrome, the libraries it uses, and within the TLS ecosystem at large. The compatibility risk for removing commonName is low. RFC 2818 has deprecated this for nearly two decades, and the baseline requirements (which all publicly trusted certificate authorities must abide by) has required the presence of a subjectAltName since 2012. Firefox already requires the subjectAltName for any newly issued publicly trusted certificates since Firefox 48."

    Regarding the Subject Alternative Name Extension, section 7.1.4.2.1 of the CA/Browser Forum Baseline Requirements states:

    "This extension MUST contain at least one entry. Each entry MUST be either a dNSName containing the Fully‐Qualified Domain Name or an iPAddress containing the IP address of a server. The CA MUST confirm that the Applicant controls the Fully‐Qualified Domain Name or IP address or has been granted the right to use it by the Domain Name Registrant or IP address assignee, as appropriate. Wildcard FQDNs are permitted."

    Example default security.cfg file The Common Name Invalid Error

    User Preferences

    Close

    Note: Cookies are disabled. Therefore, these settings to do not persist when browsing.

    Note: View list of cookies used.

    Export

    Close
    • Queuing Export
    • Collecting Pages
    • Processing Pages ()
    • Rendering PDF ()
    Your PDF has been created and will start downloading in a few seconds! If the download doesn't start, click here.
    Error. Something went wrong. Please contact us regarding this issue.

    Welcome!

    Haivision InfoCenter

    The Haivision product documentation you've learned to trust now comes with a new user interface, featuring better navigation and a cleaner, more modern look.

    We hope you'll enjoy it!
    Powered by Atlassian Confluence and Scroll Viewport.
    Create PDFCreate PDF Contact SalesContact Sales Provide FeedbackProvide Feedback
    You have accessed this page outside of MyHaivision. Please go to My Haivision to access this page.