Thursday, November 5, 2015

Subject Alternative Names mutilpe hosts domains

A certificate can be used for multiple hosts and domains.  I believe there's no #limit on many can be installed but some  CAs will set limits during signing. I figure they are concerning with making money ;)

These certificates are also referred as Multiple Domain or  UCC and can be a mix of wildcards and Multi-Domains. So the Subject Alternate Name field could have multi sites or even with multiple wildcards.

e.g

  site1.domainname.com
  site2.domainname.com
  site3.domain.org
  site.domain2.com
  *.yourdomain.com
 *.someotherdomain.com
 myname.domainxyz.com
  site1.domain1.net
  info.domainnamehere.com
 asite.mydomain.biz


The Subject alternate Names field in the certificate will always show you  he hosts that it can protect  & regardless if they are wildcards or not.


e.g ( using openssl to read a x509 certificate details  for multi domains)


And by picking a few hosts outs, we can match the  certificate serial # to know that the same certificate is being used for the sites listed.

e.g ( using openssl to validate cert serials # )



This goes back to certificate chain of trust and anywhere along that chain  that compromised can impact host(s). A attacker that compromise this certificate  by gaining access to the private-key could in fact gain access to encrypted data for any of the domains list in the Subject Alternate Name.

  • The advantage; of multiple Subject Address Names, you can protect multiple sites with just one certificate ( great for a webhosting business )

  • The price could be better from a web-hosting or a enterprise  corp that has multiple satellite DBA and where a "*" wildcard is not applicable  

  • From a SSL decryption the  multiple names allows for a 1 configuration or ssl-decryption-policy for X amount of sites
  • The dis-advantage, if the certificate is compromised and revoke, you can effect multiple sites from a risk , time or cost factor

  • Any of the foreign  website that uses this private-key for the certificate and has access , could potential have access to your data if they where MiTM ( man in the middle )


Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

No comments:

Post a Comment