-2

Our browsers and computer has a set of root certificates of the CAs. Take an example. VeriSign's root certificate is installed on my machine. So I can trust all the certificates issued by that certificate. If VeriSign has issued 10 server certificates with the same root certificate, communication to all 10 will be trusted.

But what part makes the browser ensure that it is communicating to the server it really intends to; and not with the one (though that server also has a valid VeriSign server certificate) which it does not?

Is it possible that the web server B is configured with the server certificate issued to server A?

Learner
  • 4,661
  • 9
  • 56
  • 102
  • The certificate contains a certificate path the browser can compare against the URL it is navigating. – CannedMoose Apr 20 '18 at 12:12
  • As @CannedMoose pointed out this depends in the requested URL. To be more specific: on the host name contained in the URL. That is why you cannot create a certificate for an IP address for example. – arkascha Apr 20 '18 at 12:41

1 Answers1

0

A browser will check for the CN a.k.a CommonName attributes value in the Certificate. It should match the hostname of the server from which the web resource was loaded. CN however can contain only one server FQDN. In addition to CN there is another attribute called SAN a.k.a Subject Alternate Name which can also include more FQDN or IP addresses if you open up a X509 certificate which contains a SAN you will see entries like

DNS.1 = somesever.com
DNS.2 = alternateserver.com
IP.1 = 10.20.30.1
IP.2 = 30.40.50.1

To answer your question a certificate can indeed be created such that it can be used both on server A and Server B by using SAN attribute

Farooq Khan
  • 570
  • 4
  • 11