Home / server / Questions / 1056314
Accepted
Milan Babuškov
Asked: 2021-03-09 07:34:15 +0800 CST

Why do some wildcard certificates have asterisk in subject field and some not?

  • 772

I'm trying to parse some output from SSL client to check if a bunch of servers have valid certificates. I'm looking at the output of this command:

echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -subject -dates

I notice that wildcard certificates issued from Let's Encrypt only list "CN = example.com" in "subject" field, while wildcard certificates issued from some other CA use "CN = *.example.com"

Is this normal? Will there be some certificates that are listed as "CN = example.com" in the "subject" field which are not wildcard and would break in the browser if I try to open "subdomain.example.com"?

Or is there maybe some better way to validate if certificate is for correct domain on the command line?

Thanks.

ssl openssl

1 Answers

  1. Best Answer

    Certificates are valid for the Subject included in the certificate, but when there are any Subject Alternative Name entries, it is valid for those.

    So limiting the openssl x509 output to only the subject is an inconclusive test.

    A certificate with

        Subject: CN=*.example.com

    X509v3 Subject Alternative Name:
       DNS:*.example.com, DNS:example.com

    is effectively equivalent to

        Subject: CN=example.com

    X509v3 Subject Alternative Name:
       DNS:example.com, DNS:*,example.com

    and although the Subject can only list one name both certificates are valid for both the bare domain AND the subdomain wildcard.

    As far as I know there is neither a convention nor a technical reason to prefer one of the above options to the other and you can expect to see both. What you see depends on the options originally used by the admin requesting the certificate.

    And you commonly even see a completely different Subject when requesting the certificate for www.example.com when also one or more completely different domain names are in use:

        Subject: CN=example.NET

    X509v3 Subject Alternative Name:
       DNS:example.NET, DNS:*.example.NET, DNS:*.example.com, DNS:example.com

    Displaying the SAN entries is not completely trivial in older versions of openssl that don't support the -ext subjectAltName option yet : https://stackoverflow.com/q/20983217

    Will there be some certificates that are listed as CN = example.com in the "subject" field which are not wildcard and would break in the browser if I try to open "subdomain.example.com"?

    The advent of Server Name Indication (SNI) means that a server is not limited to using only a single TLS certificate but can be configured with multiple certificates, each valid for different DNS names, DNS wildcards and possibly IP-addresses.

    The fact that when you use SNI to connect to https://www.example.net:443 results in a certificate valid for only www.example.net (and no SAN entries) does not mean that requests for different hostname will result in an error.

    Until you actually try it you won't know beforehand if connecting to the same server with an SNI request for other names will result in a certificate error.

    If the server is configured with an separate additional and valid certificate for subdomain.example.net you won't know until you actually request https://subdomain.example.net:443

    • 5