Computer Security
Common Name (CN) in SSL Cert
Computer Security
What is Common Name (CN) in our SSL certificate?
In our CSR/certificate, the Common Name, also known as CN, represents the server name (FQDN¹) protected by the SSL certificate. Note that the certificate is valid only for the exact FQDN (mentioned as CN) indicated in our CSR/certificate. SSL certificates are specific to the Common Name that they have been issued for at the host level. The Common Name must be the same as the Web address we access when connecting to a secure site.
The Common Name field is often misinterpreted and filled out incorrectly with our organization’s actual name. Most web browsers display a warning message (“host name mismatch error”) when connecting to an address that does not match the common name in the certificate. The Common Name is technically represented by the commonName field in the X.509 certificate specification.
In the case of a single-name certificate, the Common Name consists of a single host name (e.g. example.com, www.example.com), or a wildcard name in the case of a wildcard certificate (e.g. *.example.com).
An SSL certificate activated with the CSR code generated for www.example.com will not cover security.example.com or any other subdomain of example.com. On the other hand, SSL activated with the CSR code generated for security.example.com will cover neither www.example.com nor example.com.
Common Name Format
The Common Name is not a URL. It doesn’t include any protocol (e.g. http:// or https://), port number, or pathname. For instance, https://example.com or example.com/path are incorrect. In both cases, the common name should be example.com.
Common Name is not mandatory
As far as X.509 is concerned, the Common Name is not mandatory.
Common Name vs. Subject Alternative Name
The Common Name can only contain up to one entry: either a wildcard or non-wildcard name. It’s not possible to specify a list of names covered by an SSL certificate in the common name field.
The Subject Alternative Name extension (also called Subject Alternate Name or SAN) was introduced to solve this limitation. The SAN allows the issuance of multi-name SSL certificates.
References
¹FQDN stands for Fully Qualified Domain Name.
