Does a cert need a Common Name matching the domain?

Alex Schroeder alex at gnu.org
Fri Jul 17 10:09:35 BST 2020


Luke Emmet writes:
> > I'm getting "failed to connect to the server: hostname does not
> > verify: x509: certificate is valid for celulinde, not
> > caranatar.xyz"

On Fri, 2020-07-17 at 04:20 -0400, Caranatar wrote:
> Ah crap apparently none of the clients I was using to test were
> actually
> verifying the certificate, and I forgot to change the CN when I
> copy/pasted my cert generation command from my laptop. It should be
> working now...

What do other people think about this? My personal impression was that
in a trust on first use (TOFU) world, the common name (CN) of a
certificate could be anything. It could be "Alex Schroeder", for
example. Or it could be "alexschroeder.ch". Even if it was served as
the certificate for another domain, like transjovian.org. After all,
the question is only whether you "trust on first use".

My impression is that a client that tries to verify that CN and domain
match is doing it wrong. What do you think? Sadly, my SSL know-how is
weak, so any pointers to how things ought to work in a TOFU world are
appreciated.

Cheers
Alex



More information about the Gemini mailing list