Subject not considered in a certificate with SAN

Raffael Luthiger asked:

I have here a certificate with the subject “” and two subject alternative names “app1” and “app2”. When I connect with app1 or app2 to the server all is fine. But when I connect with the real name of the server (the subject) the browsers tell me that the certificate is not valid. I looked now in some certificates by digicert and they mention the subject in the SAN list as well. It looks to me like the subject is not checked any more by the browsers as soon as there are some SAN. I was reading now RFC 5280 but I couldn’t find anything that would confirm this.

Can someone give me some more information if my assumption is correct and why it is like this?

My answer:

RFC 6125 § 4.4 is what you’re looking for. It specifies that the common name (CN) is not required to be checked when subject alternate names are present, though clients are allowed to do so. In practice many clients now ignore CN completely.

Contact whoever issued your certificate and ask them to fix the mistake.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.