TLS 证书是否需要一个通用的 SAN
Does the TLS cert would require an common SAN
基于以下参考 link 使用 TLS 配置 Haproxy:
我是否需要在所有目标节点上使用通用 SAN(主题备用名称)生成证书(或)
在没有任何通用 SAN 的情况下拥有单独的证书是否可行?
https://serversforhackers.com/c/using-ssl-certificates-with-haproxy
看看 https://security.stackexchange.com/questions/172626/chrome-requires-san-names-in-certificate-when-will-other-browsers-ie-follow :某些浏览器 (Chrome) 要求名称位于 SAN 部分,因为它们现在完全忽略了 CN 字段
因此,即使对于单域证书,您也需要在 CN(因为这不是可选的)和 SAN 部分中的域。
它也在 CAB Forum requirements,第 7.1.4.2.1 节中:
Certificate Field: extensions:subjectAltName
Required/Optional: Required
Contents: This extension MUST contain at least one entry.
Each entry MUST be either a dNSName containing the Fully-Qualified
Domain Name or an iPAddress containing the IP address of a server.
The CA MUST confirm that the Applicant controls the Fully-Qualified
Domain Name or IP address or has been granted the right to use it by
the Domain Name Registrant or IP address assignee, as appropriate.
Wildcard FQDNs are permitted.
请注意,某些其他浏览器(如 Firefox)会回退到 CN,请参阅 https://bugzilla.mozilla.org/show_bug.cgi?id=1245280 and see beginning of patch at https://hg.mozilla.org/mozilla-central/rev/dc40f46fae48 了解 security.pki.name_matching_mode 配置选项。
基于以下参考 link 使用 TLS 配置 Haproxy:
我是否需要在所有目标节点上使用通用 SAN(主题备用名称)生成证书(或)
在没有任何通用 SAN 的情况下拥有单独的证书是否可行?
https://serversforhackers.com/c/using-ssl-certificates-with-haproxy
看看 https://security.stackexchange.com/questions/172626/chrome-requires-san-names-in-certificate-when-will-other-browsers-ie-follow :某些浏览器 (Chrome) 要求名称位于 SAN 部分,因为它们现在完全忽略了 CN 字段
因此,即使对于单域证书,您也需要在 CN(因为这不是可选的)和 SAN 部分中的域。
它也在 CAB Forum requirements,第 7.1.4.2.1 节中:
Certificate Field: extensions:subjectAltName
Required/Optional: Required
Contents: This extension MUST contain at least one entry. Each entry MUST be either a dNSName containing the Fully-Qualified Domain Name or an iPAddress containing the IP address of a server. The CA MUST confirm that the Applicant controls the Fully-Qualified Domain Name or IP address or has been granted the right to use it by the Domain Name Registrant or IP address assignee, as appropriate. Wildcard FQDNs are permitted.
请注意,某些其他浏览器(如 Firefox)会回退到 CN,请参阅 https://bugzilla.mozilla.org/show_bug.cgi?id=1245280 and see beginning of patch at https://hg.mozilla.org/mozilla-central/rev/dc40f46fae48 了解 security.pki.name_matching_mode 配置选项。