Thursday, November 5, 2015

Subject Alternative Names mutilpe hosts domains

A certificate can be used for multiple hosts and domains.  I believe there's no #limit on many can be installed but some  CAs will set limits during signing. I figure they are concerning with making money ;)

These certificates are also referred as Multiple Domain or  UCC and can be a mix of wildcards and Multi-Domains. So the Subject Alternate Name field could have multi sites or even with multiple wildcards.


The Subject alternate Names field in the certificate will always show you  he hosts that it can protect  & regardless if they are wildcards or not.

e.g ( using openssl to read a x509 certificate details  for multi domains)

And by picking a few hosts outs, we can match the  certificate serial # to know that the same certificate is being used for the sites listed.

e.g ( using openssl to validate cert serials # )

This goes back to certificate chain of trust and anywhere along that chain  that compromised can impact host(s). A attacker that compromise this certificate  by gaining access to the private-key could in fact gain access to encrypted data for any of the domains list in the Subject Alternate Name.

  • The advantage; of multiple Subject Address Names, you can protect multiple sites with just one certificate ( great for a webhosting business )

  • The price could be better from a web-hosting or a enterprise  corp that has multiple satellite DBA and where a "*" wildcard is not applicable  

  • From a SSL decryption the  multiple names allows for a 1 configuration or ssl-decryption-policy for X amount of sites
  • The dis-advantage, if the certificate is compromised and revoke, you can effect multiple sites from a risk , time or cost factor

  • Any of the foreign  website that uses this private-key for the certificate and has access , could potential have access to your data if they where MiTM ( man in the middle )

Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
        /  \

1 comment:

  1. Get daily ideas and guides for generating THOUSANDS OF DOLLARS per day FROM HOME for FREE.