Home > Software engineering >  When creating a SSL certificate should the common name be the domain name or IP address?
When creating a SSL certificate should the common name be the domain name or IP address?

Time:11-10

I run this command to create a certificate:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt

It asks me to fill information as shown below:

  • Country Name (2 letter code) [AU]:US
  • State or Province Name (full name) [Some-State]:New York
  • Locality Name (eg, city) []:New York City
  • Organization Name (eg, company) [Internet Widgits Pty Ltd]:Test, Inc.
  • Organizational Unit Name (eg, section) []:Ministry of Water Slides
  • Common Name (e.g. server FQDN or YOUR name) []: should this be domain name or IP address?
  • Email Address []:admin@your_domain.com

CodePudding user response:

The Common Name (AKA CN) represents the server name protected by the SSL certificate. The certificate is valid only if the request hostname matches the certificate common name. Most web browsers display a warning message when connecting to an address that does not match the common name in the certificate.

In the case of a single-name certificate, the common name consists of a single host name (e.g. example.com, www.example.com), or a wildcard name in case of a wildcard certificate (e.g. *.example.com).

The common name is technically represented by the commonName field in the X.509 certificate specification. commonName format

The common name is not a URL. It doesn’t include any protocol (e.g. http:// or https://), port number, or pathname. For instance, https://example.com or example.com/path are incorrect. In both cases, the common name should be example.com.

It must precisely match the server name where the certificate is installed. If the certificate is issued for a subdomain, it should be the full subdomain. For instance, for the www and api subdomains of example.com, the common name will be www.example.com or api.example.com, and not example.com.

CodePudding user response:

The common name of a server certificate is irrelevant for modern TLS stacks. Instead the Subject Alternative Names must be used. CN is considered obsolete and major browsers (Google Chrome and related) will not even consider what's inside the CN.

In the SAN then the name need to be given which is used to access the site. This means if the URL is https://domain/ then domain must be used as SAN type DNSName. If the URL instead is https://ip/ then ip must be used with SAN type IPAddr. For domains wildcards can be used too, but only a single wildcard in the leftmost label.

  • Related