18

I visited stackoverflow.com and found in Chrome that its certificate is valid and has Common Name (CN) *.stackexchange.com. After that I checked a fingerprint for stackexchange.com and it matched the first one. I thought that Chrome would show me a warning that the domain didn't match, as stackoverflow.com doesn't redirect to stackexchange.com and it doesn't have a CNAME to it - dig +short stackoverflow.com cname - shows nothing. My question is: how does Chrome recognise that stackoverflow.com is part of *.stackexchange.com?

Improve this question
3
  • 20
    The Keyword you are looking for is "Subject Alternative Name"
    – The one who tests
    Commented Sep 19, 2022 at 15:33
  • 1
    Indeed, just found out that in Firefox, Chrome doesn't show SAN, it confused me. Thanks!
    – Ghost Rider
    Commented Sep 19, 2022 at 15:34
  • 13
    Actually it does, in Details. But it should be more prominently displayed for sure.
    – Bruno Rohée
    Commented Sep 19, 2022 at 15:54

2 Answers 2

Reset to default
36

A certificate Common Name is not the only thing used to validate a certificate. It is actually only used for very primitive certificates that lack a subjectAltName extension.

The StackOverflow certificate has got a subjectAltName field with the following dNSNames in it, which allow the certificate to validate for StackOverflow.

*.askubuntu.com
*.blogoverflow.com
*.mathoverflow.net
*.meta.stackexchange.com
*.meta.stackoverflow.com
*.serverfault.com
*.sstatic.net
*.stackexchange.com
*.stackoverflow.com
*.stackoverflow.email
*.stackoverflowteams.com
*.superuser.com
askubuntu.com
blogoverflow.com
mathoverflow.net
openid.stackauth.com
serverfault.com
sstatic.net
stackapps.com
stackauth.com
stackexchange.com
stackoverflow.blog
stackoverflow.com
stackoverflow.email
stackoverflowteams.com
stacksnippets.net
superuser.com
Improve this answer
2
  • 12
    The Common Name field isn't used to validate certificates any more at least in Chrome (but I imagine also in most other browsers as well) for several years. SubjectAltNames is required these days.
    – Voo
    Commented Sep 20, 2022 at 7:42
  • 1
    Yeah in the case of TLS it's completely unused, but CN is still used in some others x.509 use cases
    – Bruno Rohée
    Commented Sep 20, 2022 at 8:13
30

Originally certificates were only valid for a single name. But with the growth of the web, it was very common that the same server would be accessible under multiple names. So certificates were extended to permit multiple names. The use of the Common Name (CN) field has been deprecated since 2000 in favor of the subjectAltName field (Subject Alternative Name, often abbreviated SAN). The subjectAltName field can contain a list of names (or name patterns starting with a wildcard), not just a single name.

The subjectAltName field for the certificate offered by https://stackoverflow.com/ includes stackoverflow.com as well as *.stackexchange.com, *.stackoverflow.com, *.meta.stackexchange.com, etc. Chrome recognizes stackoverflow.com in the subjectAltName field. It's a bit weird that it only shows the CN value in the overview, but you can view the certificate details and see the SAN entries under “*.stackexchange.com” → “Certificate” → “Extensions” → “Certificate Subject Alternative Name”.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .