0

What happens when a CN or Alternative Name in a SAN or UCC ssl certificate no longer resolves to the server?

Are there any problems that can arise from this?

The question is general but the specific environment I'm interested in is Linux for web hosting using LetsEncrypt certificates.

Does it affect the results of OCSP requests?

Does the fact that one or more names don't resolve to the server any more affect the remaining names that do in any way? Can the certificate be renewed?

Craig
  • 289
  • 2
  • 7
  • 2
    Nothing happens. The requests for that domain go somewhere else. The server happily sits around wondering why it's not getting any any more. Probably feels sad and lonely after a while. – ceejayoz Mar 15 '18 at 12:29
  • No, I can't see any reason it'd affect OCSP requests. Whether it affects renewal would depend entirely on how the certificate is validated with your certificate authority. If you're using Let's Encrypt, there's HTTP versus DNS validation, for example. – ceejayoz Mar 15 '18 at 12:40
  • When a client (browser) connects via HTTPS it receives the certificate from the server (as part of the TLS handshake) and checks the DNS names in the SAN in turn until one matches the FQDN in the request (the address bar). If they match, processing can continue. If there is no match, you'll get a browser error. Nothing tries to resolve the names in the SAN - it's a string comparison. Also, the CN can be anything (such as "My Wonderful Server" - it doesn't have to be a DNS name. In fact, modern browsers ignore this. – garethTheRed Mar 15 '18 at 13:26

0 Answers0