Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How to fix "X.509 Certificate Subject CN Does Not Match the Entity"

Posted on 2016-08-09
3
Medium Priority
?
2,922 Views
Last Modified: 2016-08-10
How do we fix the above ?

In one site VA scan identified this
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 17

Accepted Solution

by:
Learnctx earned 2000 total points
ID: 41748493
You will have this when the certificate common name does not match the name of the domain for host, or does not contain a matching subject alternate name (SAN). For example you have a server called server1 in the domain yourdomain.com. The URL is https://server1.yourdomain.com. You find this name is not very friendly so you create a DNS record pointing to server1.yourdomain.com called myapp.yourdomain.com. The user goes to https://myapp.yourdomain.com. The browser will throw an error saying that the certificate is not trusted because the URL does not match the certificate name.

To fix this you would need to issue a new certificate with the new name or add a subject alternate name to the certificate for myapps.yourdomain.com.
1
 

Author Comment

by:sunhux
ID: 41748575
Thanks very much.

So I have to obtain a new cert (if it is not self-signed cert) from the CA
for myapps.yourdomain.com ?

If this is left alone as such, is it considered a security vulnerability/risk?
0
 
LVL 17

Assisted Solution

by:Learnctx
Learnctx earned 2000 total points
ID: 41749605
No it is not a security risk as such just bad practice. Your browser for example would suggest that your connection may not be secure because it could be a possible MiTM attack. But, as long as you recognise the cert as the one you installed you can ignore the warning. If it were a customer facing site you would want to fix it, otherwise that's just embarrassing. If its something internal...depends how much you care. Issuing a new certificate should be a fairly straight forward procedure and take a couple of minutes. Me personally I would prefer to fix it because I like to cross my t's and dot my i's and installing a new cert is a trivial task.
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hey fellow admins! This time, I have a little fairy tale for you. As many tales do, it starts boring and then gets pretty gory. I hope you like it. TL;DR: It is about an important security matter, you should read it if you run or administer Windows …
How does someone stay on the right and legal side of the hacking world?
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question