1

I am using a certificate with subject alternative names in the "Subject" field instead of x509 extensions.

A java client that I use still fails connecting to https url complaining that hostname in certificate didn't match. My understanding is as long as the hostname is listed in Subject Alt Names it should work.

Here is the format of the Subject field in the certificate

C=US,ST=.......CN=x.yz.com/emailAddress=a@b.com/subjectAltName=DNS.1=x2.y.com,DNS.2=x3.y.com

Is it necessary to define SAN as X509 extensions

1 Answers1

2

The subjectAltName is expected to be an X509v3 extension of the certificate, not a part of the Subject field. Therefore, if you listed the SAN names into the Subject, your certificate is invalid.

Here's an example of a certificate that defines an SAN. This answer contains the list of allowed fields for a subject.

Community
  • 1
  • 1
Simone Carletti
  • 173,507
  • 49
  • 363
  • 364
  • As per this [wiki](https://en.wikipedia.org/wiki/Subject_Alternative_Name) DNS names are usually included with in the subject field. –  Jul 16 '16 at 18:15
  • @Sridhar That's not correct. If you read the article you linked, it says _it's an extension_. – Simone Carletti Jul 16 '16 at 18:20
  • I agree that article says it's an extension, but I was confused about this statement "DNS Names (This is usually also provided as the Common Name RDN within the Subject field of the main certificate.)" How do I interpret that –  Jul 16 '16 at 18:28