Apache, SSL, UCC not working on CN but works on subjectAltName

Question

I recently generated a UCC for

domain1.com
*.domain1.com
domain2.com
*.domain2.com

now when i visit http://domain1.com in Firefox i get:

domain1.com uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is unknown.
The certificate is only valid for the following names:
  *.domain1.com , domain2.com , *.domain2.com

(Error code: sec_error_unknown_issuer)

It complaints that the SSL is

Issued by a not trusted authority - which is fine...
And its not valid for domain in question

Here is my SSL Cert in text form:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 3 (0x3)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=Connecticut, L=Stamford, O=Example, Inc., CN=Example-CA/emailAddress=webmaster@domain1.com
        Validity
            Not Before: Oct 28 11:26:20 2010 GMT
            Not After : Oct 28 11:26:20 2011 GMT
        Subject: C=US, ST=Connecticut, L=Stamford, O=Example, Inc., CN=domain1.com/emailAddress=webmaster@domain1.com
        Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
            RSA Public Key: (4096 bit)
                Modulus (4096 bit):
                    00:b8:bf:9a:73:a0:6e:b6:2d:98:97:74:03:fc:76:
                    44:36:1d:e8:e8:49:2c:02:01:45:77:24:fb:cc:37:
                    22:af:8c:41:2d:92:63:74:e3:08:81:59:49:2b:96:
                    22:bd:2e:f9:55:dd:d9:cb:7e:e8:bd:ce:15:24:87:
                    2d:9b:1a:9c:8e:bd:fe:20:99:cf:8c:29:d2:92:af:
                    5f:dc:7e:17:5e:25:e6:c2:bf:70:79:0f:e9:78:74:
                    a4:6c:15:4f:8b:c7:45:11:d0:4c:f0:05:85:cf:c0:
                    bc:37:e5:c7:45:fd:8e:05:37:c1:aa:50:ef:14:ab:
                    55:f9:7d:79:b7:1e:bd:83:bd:cf:59:25:e0:d9:99:
                    17:d7:00:46:8b:86:58:bf:66:1a:77:e0:a6:35:81:
                    45:51:0a:e7:86:f6:40:c7:73:a7:4a:b8:c4:66:5d:
                    dd:8b:9a:0f:8c:48:05:d5:bf:53:bc:e6:5b:60:3c:
                    50:21:a2:2c:e5:e1:15:eb:14:18:3d:f0:80:59:08:
                    74:f8:e7:d5:e9:7d:82:73:f2:f1:dc:e8:d9:7f:46:
                    d5:68:eb:c0:e2:6b:f1:6f:90:c3:af:66:d5:f3:24:
                    93:a1:9f:bd:a9:62:c9:0a:76:8e:b4:a1:28:4e:b7:
                    09:e3:90:99:44:4d:3e:4d:89:ec:7c:7f:ac:b5:77:
                    e3:8d:af:e3:da:09:98:51:09:bf:76:ac:d9:1a:34:
                    0c:4c:3c:43:eb:47:d6:b7:ed:d4:42:35:09:a0:b2:
                    98:3f:ad:b7:d1:49:4d:df:72:07:48:6c:3e:df:67:
                    6a:48:14:4b:0c:d4:48:37:a5:c8:f6:7b:4d:d3:01:
                    3f:32:e8:a9:ef:92:55:cb:24:25:9f:c0:98:53:d2:
                    0b:fa:30:3d:3d:c5:9d:90:cd:bf:c8:01:d3:7a:c2:
                    3a:78:b7:db:eb:c2:ee:de:bc:5c:c4:74:af:5a:23:
                    08:e5:8c:df:ec:0d:f1:b3:7a:86:88:99:17:e8:d9:
                    81:b2:3c:eb:40:d9:b3:09:82:5b:e0:fa:84:68:ed:
                    c6:2c:c9:59:93:c3:f8:80:70:67:1f:6c:f8:3c:25:
                    63:95:ee:de:e2:ba:92:34:b0:f8:a1:53:5b:22:d9:
                    f3:d3:4c:1a:91:12:e6:0d:af:e3:99:3a:29:d0:ba:
                    57:d3:08:3d:a1:2f:91:61:a2:86:f6:f8:33:61:dc:
                    da:39:82:03:25:f3:88:5a:8a:88:e3:be:5e:78:1b:
                    c2:74:a4:c8:0f:66:18:2a:1e:a0:a9:ac:1c:71:50:
                    81:b5:6e:d4:2a:c3:b6:bd:85:ea:ef:72:3d:76:08:
                    79:d5:59:6a:b4:f2:54:33:61:76:49:13:93:95:e5:
                    86:2a:c7
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                    OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                3F:40:13:7E:25:04:0A:B9:0F:5F:DE:5E:9D:55:94:10:EE:F2:2B:B0
            X509v3 Authority Key Identifier: 
                keyid:8E:C4:D5:F3:69:12:A9:75:DA:0D:9B:59:11:C8:DE:53:67:C0:DA:1B

            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name: 
                DNS:*.domain1.com, DNS:domain2.com, DNS:*.domain2.com
    Signature Algorithm: sha1WithRSAEncryption
        20:cd:15:09:9a:0b:7b:90:bd:db:83:fd:21:15:9a:32:21:8e:
        98:42:28:63:8b:fe:9c:36:73:9e:2f:2c:87:af:a4:0d:01:06:
        f4:5e:c1:76:d9:3b:ab:85:90:87:8e:8a:63:a8:d8:49:82:98:
        a3:4b:4e:dc:fe:4f:af:6e:86:4c:64:55:74:ca:cd:7b:db:4a:
        b8:b0:ad:f5:75:c3:92:da:a7:2c:72:d0:dd:2e:0b:78:85:91:
        03:fd:51:40:df:58:02:c1:ab:c8:5d:09:4a:7c:15:e3:ec:30:
        13:ea:b3:26:bc:56:a2:66:a0:5d:d7:26:9c:f9:24:47:a7:55:
        15:5f:8a:d0:02:92:fd:f9:4d:40:74:7a:c1:a5:85:bc:83:ff:
        c5:d7:1d:97:48:e3:58:c6:c3:b9:ba:65:f7:ba:c8:db:86:13:
        32:48:42:fe:cf:07:58:47:3d:66:bd:87:c2:40:86:1b:3b:82:
        01:e1:57:7f:04:89:9c:45:2e:d9:7c:ae:cf:4f:87:50:0a:f0:
        ff:f6:b3:c1:ce:24:21:1c:2f:3c:62:80:a6:5d:3b:61:6c:b7:
        e4:22:c0:ed:a5:07:c5:a9:ad:e5:26:24:f2:d0:29:3e:b7:dc:
        b6:3a:2c:76:ee:a5:8e:ba:cf:bf:65:b3:40:93:9f:ad:82:1b:
        b2:d6:28:4c:2c:6b:3c:db:da:5f:73:20:3d:1b:59:13:93:de:
        cd:03:df:e8:fa:13:1f:9d:30:99:83:0b:12:60:63:65:64:d8:
        1e:3f:7e:4b:3a:fe:e4:19:db:55:f5:95:cc:77:f6:64:5b:53:
        4b:d0:e0:30:35:91:81:b8:65:2d:81:4e:1f:aa:c8:b3:d2:d8:
        7d:85:47:49:1d:a5:bc:65:16:a5:bb:3e:ea:12:f4:70:e7:11:
        59:52:d8:2b:5d:4e:14:5f:d3:ae:45:69:17:61:bc:43:dc:9a:
        03:c2:8b:79:f3:39:f4:a4:7f:f7:3c:c5:b7:9e:df:52:1b:41:
        8d:c4:5e:bf:5e:17:3e:c8:07:6f:35:47:a4:32:0f:8d:cc:ad:
        45:0e:72:a5:74:0d:08:64:cf:da:79:cb:e2:c5:73:78:ff:f6:
        fc:c8:b3:d2:88:ea:03:10:36:eb:d5:79:d6:97:99:17:cd:e3:
        17:cc:2a:27:0f:ff:41:84:8e:38:f0:b0:c2:7d:cb:b2:a1:40:
        af:74:98:fb:87:15:53:68:24:39:cb:8e:63:cf:c0:56:b3:7c:
        2f:39:5e:bd:6e:cf:5a:43:37:f6:20:db:34:65:48:8f:0e:49:
        6c:66:a5:a5:70:2f:09:d6:0f:ed:f8:86:a2:17:67:2b:fe:d3:
        aa:7b:56:7d:63:c3:17:a0

score 2 · Accepted Answer · answered Oct 29 '10 at 05:32

You need to include domain1.com as a Subject Alternative Name. Most browsers will ignore the common name in the subject if there are Subject Alternative Names present. That is why Firefox thinks that the certificate is not valid for https://domain1.com

Apache, SSL, UCC not working on CN but works on subjectAltName

1 Answers1