How Does SSL Certificate Server Name Resolution Work?

Decoding SSL Certificate Server Name Resolution

Understanding SSL certificate resolution is crucial for establishing secure communication. Let's explore your questions and provide comprehensive answers.

Server Name Resolution for SSL Certificates

RFC 2818 and RFC 6125 define hostname verification for SSL certificates. In the absence of a "dNSName" Subject Alternative Name (SAN), the Common Name (CN) field is used. However, CN usage is deprecated, and SANs are preferred.

Browser Behavior vs. Java's Mechanism

Browsers often handle CN-based server names differently, allowing connections even when the CN doesn't match the domain. Java, on the other hand, strictly adheres to the RFC, accepting only SANs or matching CNs.

Adding Alternative Names Using Keytool

Java's keytool now includes the "-ext" option for adding SANs to certificates. Use "-ext san=dns:www.example.com" or "-ext san=ip:10.0.0.1" to include the desired alternative names.

OpenSSL as an Alternative

If you prefer not to use keytool, OpenSSL can be used for this purpose. By modifying openssl.cnf or setting the environment variable "OPENSSL_CONF," you can configure OpenSSL to request a SAN in certificates.

Example Configuration for OpenSSL

In openssl.cnf, add the following under "[req]" and "[v3_req]" sections:

[req]
req_extensions = v3_req

[ v3_req ]
subjectAltName=IP:10.0.0.1
# or subjectAltName=DNS:www.example.com

Alternative Environment Variable Trick

Alternatively, you can set an environment variable to specify the SAN. Refer to http://www.crsr.net/Notes/SSL.html for details.

The above is the detailed content of How Does SSL Certificate Server Name Resolution Work?. For more information, please follow other related articles on the PHP Chinese website!